Skip to main content
In October 2023, a Yearn vault suffered a $11.6M exploit due to a misconfigured withdrawal mechanism that went undetected for days. The vault’s code was upgradeable, the admin key was an EOA, and there was no timelock. All of these were detectable signals. This guide shows you how to screen vaults before listing and monitor them continuously across 6 EVM chains.

Why Vault Risk Screening Matters

Compliance

Automated listing verdicts help you meet due diligence requirements for DeFi integrations

Risk Management

Catch governance risks, liquidity traps, and code vulnerabilities before your users deposit

User Protection

Surface vault health data so users can make informed decisions about their capital
Why teams choose Webacy for vault screening:
  • 7 risk categories, 41 tags — Covers structure, governance, liquidity, code quality, asset risk, performance, and protocol risk
  • Listing verdictssafe_to_list, caution, review_required, do_not_list — actionable decisions, not just numbers
  • Sub-500ms responses — Screen vaults in real-time without blocking your UI
  • 6 EVM chains — ETH, ARB, BASE, OPT, POL, BSC from a single API

Prerequisites

Before implementing vault screening, ensure you have:
  • A Webacy API key (sign up here)
  • Basic familiarity with REST APIs or the Webacy SDK
  • Your vault listing or portfolio management flow identified for integration points

Screen a Vault Before Listing

Before surfacing a vault to users, check its risk rating and listing verdict. 
curl -X GET "https://api.webacy.com/vaults/0x0deFfd509197aAD5207d2A55862835b467E8128F?chain=eth" \
  -H "x-api-key: YOUR_API_KEY"
Key response fields:
FieldDescriptionAction
riskScore0-100 composite ratingSet your threshold (e.g., >50 = review)
tierlow / medium / high / criticalQuick categorization
listingVerdictsafe_to_list / caution / review_required / do_not_listDirect listing decision
withdrawalRisknull / constrained / delayed / illiquid / locked / blockedUser exit condition
risk.issues[]Array of risk tags with severityUnderstand what’s driving the rating

Listing Verdict Decision Logic

VerdictAction
safe_to_listAuto-approve for listing
cautionList with a risk warning badge
review_requiredQueue for manual review before listing
do_not_listBlock from listing — has blocking risk tags or rating >= 75

Monitor High-Risk Vaults

Once vaults are listed, monitor them continuously for changes. 
# Get all vaults needing attention, sorted by risk
curl -X GET "https://api.webacy.com/vaults?attentionNeeded=true&sort=score_desc&pageSize=50" \
  -H "x-api-key: YOUR_API_KEY"
Useful filters for monitoring:
FilterExampleUse Case
tier=criticalOnly critical vaultsAlert pipeline
attentionNeeded=trueVaults with state changesDaily monitoring
riskFlags=vault-redemption-closedSpecific risk conditionTargeted alerts
chain=eth&minTvl=1000000Chain + TVL thresholdPortfolio-relevant vaults

Build a Vault Risk Dashboard

Fetch a paginated list of vaults with risk data for a dashboard view. 
# USDC vaults on Ethereum, sorted by TVL
curl -X GET "https://api.webacy.com/vaults?chain=eth&underlying=USDC&sort=tvl_desc&pageSize=25" \
  -H "x-api-key: YOUR_API_KEY"

Complete Integration Workflow

Here’s how vault screening fits into a typical platform.

Vault Listing Flow

Implementation Example

const API_BASE = 'https://api.webacy.com';
const API_KEY = process.env.WEBACY_API_KEY;

const headers = { 'x-api-key': API_KEY };

// Screen a vault before listing
async function screenVault(address: string, chain: string) {
  const res = await fetch(
    `${API_BASE}/vaults/${address}?chain=${chain}`,
    { headers }
  );
  const vault = await res.json();

  return {
    address,
    chain,
    name: vault.name,
    riskScore: vault.riskScore,
    tier: vault.tier,
    verdict: vault.listingVerdict,
    withdrawalRisk: vault.withdrawalRisk,
    tags: vault.risk?.issues?.flatMap(i => i.tags?.map(t => t.key)) ?? [],
  };
}

// Decide listing action based on verdict
function decideListing(vault: Awaited<ReturnType<typeof screenVault>>) {
  switch (vault.verdict) {
    case 'safe_to_list':
      return { action: 'LIST', badge: null };
    case 'caution':
      return { action: 'LIST', badge: 'risk-warning' };
    case 'review_required':
      return { action: 'REVIEW', badge: 'pending-review' };
    case 'do_not_list':
      return { action: 'BLOCK', badge: null, reason: vault.tags.join(', ') };
  }
}

// Monitor all listed vaults
async function monitorVaults() {
  const res = await fetch(
    `${API_BASE}/vaults?attentionNeeded=true&sort=score_desc&pageSize=100`,
    { headers }
  );
  const { data } = await res.json();

  const alerts = data.filter(v => v.tier === 'critical' || v.tier === 'high');

  for (const vault of alerts) {
    console.log(
      `[${vault.tier.toUpperCase()}] ${vault.name} — ` +
      `Rating: ${vault.riskScore}/100, ` +
      `Verdict: ${vault.listingVerdict}`
    );
  }

  return alerts;
}

// Example usage
const result = await screenVault(
  '0x0deFfd509197aAD5207d2A55862835b467E8128F',
  'eth'
);
const decision = decideListing(result);
console.log(`${result.name}: ${decision.action}`);

API Quick Reference

EndpointUse CaseResponse Time
GET /vaultsList all vaults with risk data~300ms
GET /vaults/{address}?chain={chain}Full vault risk detail~500ms
Authentication: 
Header: x-api-key: YOUR_API_KEY
Base URL: https://api.webacy.com
Supported chains: eth, arb, base, opt, pol, bsc

Next Steps

Vault Risk API

Full endpoint reference with all query parameters

Rating Methodology

How vault risk ratings are computed — sub-ratings, penalties, and floors

Stablecoin Depeg Monitoring

Monitor the stablecoins that underlie your vaults

Risk Tags Reference

Complete list of all risk tags and what they mean