Without an accountability mechanism, DeFi will continue to repeat its failures

Original Title: DeFi Risks: Curators as new Brokers
Original Author: @yq_acc
Translation: Peggy, BlockBeats

Editor’s Note: Since 2020, DeFi has rapidly expanded, with the total locked value once exceeding $100 billion, giving rise to the risk curator model. However, in the absence of regulation, identity disclosure, and risk constraints, risk curators manage billions of dollars of user funds, leading to frequent systemic failures. In November 2025, the collapse of Stream Finance triggered a loss of $285 million, exposing the core issues of the risk curator model.

Based on this, this article deeply analyzes the root causes of risks behind the current model and proposes technical improvement suggestions.

Here is the original text:

New Financial Intermediaries: "Risk Curators"

In the past eighteen months, a new type of financial intermediary has emerged in DeFi. These entities call themselves risk curators, treasury managers, or strategy operators.

They manage billions of dollars in user deposits on protocols like Morpho (approximately $7.3 billion) and Euler (approximately $1.1 billion), responsible for setting risk parameters, selecting collateral types, and deploying funds into yield strategies. They charge a performance fee of 5% to 15%, yet operate without licenses, regulatory scrutiny, mandatory disclosure of qualifications or past performance, and often do not disclose their true identities.

The collapse of Stream Finance in November 2025 revealed the results of this structure under stress testing.

This contagion affected the entire ecosystem, resulting in losses of $285 million. Risk curators, including TelosC ($123.64 million), Elixir ($68 million), MEV Capital ($25.42 million), and Re7 Labs (two treasuries totaling $27.4 million), concentrated user deposits into a single counterparty, which used 7.6 times leverage with only $1.9 million in real collateral.

Warnings were public and clear: CBB released leverage ratios on October 28, and Schlagonia directly warned Stream 172 days before the collapse. However, these warnings were ignored, as the incentive structure encouraged the neglect of risk.

The risk curator model follows a familiar pattern from traditional finance but strips away the accountability mechanisms built over centuries of costly failures.

When banks or brokers manage client funds, they must meet capital requirements, registration obligations, fulfill fiduciary duties, and undergo regulatory scrutiny. In contrast, when DeFi risk curators manage client funds, they face only market incentives, which reward asset accumulation and yield maximization rather than risk management. The protocols supporting risk curators claim to be neutral infrastructure, earning fees from activities while denying responsibility for risks.

This position is unsustainable; traditional finance abandoned this notion decades ago due to repeated disasters, with the profound lesson being: intermediaries that earn fees cannot be completely absolved of responsibility.

Inevitable Failures

Stream Finance: Permissionless Architecture and Its Consequences

Morpho and Euler operate as permissionless lending infrastructures. Anyone can create a treasury, set risk parameters, choose acceptable collateral, and start attracting deposits.

The protocols provide smart contract infrastructure and earn fees from activities. This architecture does have advantages: permissionless systems promote innovation by removing gatekeepers that may obstruct new approaches due to unfamiliarity or competing interests; they provide financial services to participants who may be excluded by traditional systems; and they create transparent, auditable transaction records on-chain.

However, this architecture also brings fundamental issues exposed in November 2025.

Without gatekeeping, there is no control over who becomes a risk curator; without registration requirements, there is no accountability when risk curators fail; without identity disclosure, risk curators can accumulate losses under one name and then restart under a new name; without capital requirements, risk curators have no "skin in the game" beyond their reputation, which can be easily discarded.

Ernesto Boado, founder of BGD Labs and contributor to Aave, directly summarized the problem: risk curators are "selling your brand for free to gamblers." The protocols earn fees, risk curators earn performance fees, and users bear the losses when inevitable failures occur.

Permissionless architecture creates a specific failure mode, with Stream Finance being a typical case.

Since anyone can create a treasury, risk curators compete for deposits by offering higher yields. Higher yields either rely on true alpha (scarce and unsustainable at scale) or on higher risks (common and catastrophic once exposed).

Users see "18% annual yield" but do not investigate the source. They assume that those with the title of "risk curator" have conducted due diligence. Meanwhile, risk curators see opportunities for fee income and thus accept risks that should have been rejected by prudent risk management. The protocols see TVL growth and fee income and do not intervene, as permissionless systems inherently should not set thresholds.

This competitive dynamic leads to "race to the bottom."

If risk curators conservatively manage risks, they attract fewer deposits due to lower yields; whereas those who take excessive risks achieve higher yields, attract more deposits, earn more fees, and appear successful until failure occurs.

The market cannot distinguish between sustainable yields and unsustainable high-risk behavior before failure occurs. Once failure happens, losses are distributed across the ecosystem, and risk curators face no consequences beyond reputational damage, which is nearly irrelevant when they can restart under a new name.

RE7 Labs: Conflicts of Interest and Incentive Failures

The risk curator model embeds fundamental conflicts of interest, making failures like Stream Finance's almost inevitable.

Risk curators earn fees by managing asset scale and performance, directly incentivizing them to maximize deposits and yields, regardless of the risks involved in achieving those numbers. Users seek safety and reasonable returns, while risk curators seek fee income.

These incentives diverge at the most dangerous moments, especially when yield opportunities require accepting risks that users would reject if they were aware.

The case of RE7 Labs is instructive, as they documented their failure mode. Before launching the xUSD integration, their due diligence identified the issue of "centralized counterparty risk." This analysis was correct.

Stream concentrated risk on an anonymous external fund manager, who was completely opaque regarding positions or strategies. RE7 Labs, aware of this risk, still pushed forward with the xUSD integration, citing "significant user and network demand." The opportunity for fee income outweighed the risk to user funds. When these funds ultimately incurred losses, RE7 Labs faced only reputational damage, with no financial consequences, while users bore 100% of the losses.

This incentive structure is not only misaligned but actively punishes prudent behavior.

Risk curators who refuse high-yield opportunities due to excessive risk will lose deposits to competitors who accept the risks. Prudent curators earn lower fees and appear to perform poorly; reckless curators earn higher fees, attract more deposits, until failure occurs.

In the meantime, reckless curators accumulate significant fee income, which is not recoverable due to subsequent user losses. Multiple risk curators and treasury managers reallocated user funds to xUSD positions without transparent disclosure, exposing depositors unknowingly to Stream's recursive leverage and off-chain opacity. Users deposited into what was marketed as a conservative yield strategy treasury, only to find their funds concentrated with a counterparty using 7.6 times leverage.

The fee structure for risk curators typically includes a performance fee of 5% to 15% on generated yields. This sounds reasonable, but a closer analysis reveals severe asymmetry: risk curators share a portion of the profits but bear no losses. They have a strong incentive to maximize yields but almost no incentive to minimize risks.

For example, a treasury with $100 million in deposits and a yield of 10% could earn $1 million with a 10% performance fee. If they take double the risk and raise the yield to 20%, they could earn $2 million. If risk exposure leads to a 50% loss of principal for users, the risk curator only loses future fee income from that treasury but retains all fees previously earned. Users lose $50 million. This is an economic model of "I win, you lose."

The protocols themselves also face conflicts of interest when dealing with risk curator failures.

Morpho and Euler earn fees from treasury activities, giving them a financial incentive to maximize activity levels, which means maximizing deposits, allowing high-yield treasuries to attract deposits even if those treasuries take excessive risks. The protocols claim to be neutral, believing that permissionless systems should not set thresholds. However, they are not truly neutral, as they profit from the activities they facilitate.

Traditional financial regulation recognized this issue centuries ago: entities profiting from intermediary activities cannot be completely absolved of risk responsibility. Brokers earning commissions have certain obligations to client orders. DeFi protocols have yet to accept this principle.

Morpho Incident: Accountability Vacuum

When traditional brokers or asset managers cause client fund losses, consequences include regulatory investigations, possible license revocation, civil liability for breaching fiduciary duties, and criminal prosecution in cases of fraud or gross negligence. These consequences create incentives for prudent behavior beforehand. Managers who take excessive risks for personal gain realize that the personal consequences of failure are severe. While this does not prevent all failures, it significantly reduces reckless behavior compared to a system without accountability.

When DeFi risk curators cause client fund losses, they face only reputational damage, with no other consequences. They have no licenses to revoke, no regulatory investigations because no regulatory body has jurisdiction. They have no fiduciary duties, as the legal relationship between risk curators and depositors is undefined. They have no civil liability, as identities are often unknown, and most DeFi protocols' terms of service explicitly state disclaimers. They can accumulate losses, close treasuries, and then restart under a new name and treasury on the same protocol.

The events that occurred on Morpho in March 2024 illustrate how the accountability vacuum operates in practice.

A Morpho treasury using Chainlink oracles lost approximately $33,000 due to oracle price deviations. When users sought compensation, they encountered systemic deflection: Morpho claimed to be merely infrastructure and did not control treasury parameters; treasury risk curators claimed they only operated within the protocol guidelines; Chainlink asserted that the oracle's performance was compliant. No entity took responsibility, and no users received compensation. The incident was small in scale and did not trigger broader market consequences, but it established a precedent: when losses occur, no one is accountable.

This accountability vacuum is by design, not oversight. The protocols explicitly avoid responsibility through structure: terms of service state disclaimers, documentation emphasizes that the protocol is permissionless infrastructure that does not control user behavior, and the legal structure places protocol governance under a foundation or DAO, choosing jurisdictions with less regulatory oversight. From the protocol's perspective, this is legally sound, but it creates a system where billions of dollars in user funds are managed by entities with no substantive accountability mechanisms.

Economics has a term for this: moral hazard. When entities do not bear consequences for failure, they take excessive risks because the potential gains belong to them while the losses are borne by others.

Identity Disclosure and Accountability: Many risk curators operate under pseudonyms or anonymously. This is sometimes justified for personal safety or privacy, but it directly impacts accountability. When risk curators cannot be identified, they cannot be held legally accountable for negligence or fraud; even if they accumulate records of failures, they cannot be excluded from operations; they cannot face professional sanctions or reputational penalties because these penalties cannot follow their true identities. Anonymity eliminates the only existing accountability mechanism in the absence of regulation. In traditional finance, even without regulatory enforcement, managers who ruin client funds still face civil liability and reputational consequences that follow their true identities. In DeFi, they face neither.

Black Box Strategies and Professional Illusions

Risk curators package themselves as risk management experts, claiming to select safe assets, set reasonable parameters, and deploy funds wisely. Marketing language emphasizes professionalism, complex analysis, and prudent risk management.

But the reality (as proven in November 2025) is that many risk curators lack the infrastructure, expertise, and even the intent to manage risks appropriately. Traditional financial institutions typically allocate 1%-5% of their staff to risk management functions, with independent risk committees, dedicated oversight teams, stress testing capabilities, and scenario analyses required by regulators. In contrast, DeFi risk curators are often small teams or individuals focused on yield and asset accumulation.

Strategies themselves rarely have meaningful disclosures. Risk curators use terms like "Delta-neutral trading," "hedged market making," and "optimized yield farming," which sound professional but provide no insight into actual positions, leverage ratios, counterparty risks, or risk parameters.

This opacity is sometimes justified as protecting proprietary strategies from front-running or competition, but users have a legitimate need to understand the risks they are taking. Opacity is not a feature but a flaw that allows fraud and reckless behavior to persist until failure forces the truth to emerge.

Stream Finance took the opacity issue to catastrophic scales. They claimed to have $500 million in TVL, but only $200 million was verifiable on-chain, with the remaining $300 million allegedly existing in off-chain positions managed by "external fund managers," whose identities, qualifications, strategies, and risk management processes were never disclosed.

Stream used terms like "Delta-neutral trading" and "hedged market making" but never explained the specific positions or actual leverage ratios involved in these strategies. When Schlagonia's post-collapse analysis revealed that recursive lending structures synthesized 7.6 times expansion from $1.9 million in real collateral, depositors were completely shocked. They had no way of knowing that their "stablecoin" was actually supported by infinitely recursive borrowed assets rather than real reserves.

The professional illusion is particularly dangerous because it leads users to relinquish their judgment.

When someone with the title of "risk curator" accepts a high-yield opportunity, users assume due diligence has been completed. The reality, as shown in the RE7 Labs case, is that due diligence often identifies risks but is then ignored. Their own analysis flagged Stream's centralized counterparty risk before integrating xUSD, yet they proceeded because user demand and fee income outweighed the identified risks.

Professional capability exists, analysis has been applied, conclusions are correct, but ultimately overturned by commercial incentives. This is worse than incompetence, as it reveals that even when risk curators have the ability to identify risks, the incentive structure still leads them to ignore findings.

Proof of Reserves: Technically Feasible but Rarely Implemented

Cryptographic techniques for verifiable proof of reserves have existed for decades. Merkle trees can prove solvency without exposing account details; zero-knowledge proofs can demonstrate reserve ratios without disclosing trading strategies.

These technologies are mature, easy to understand, and computationally efficient. Stream Finance's failure to implement any form of proof of reserves is not due to technical limitations but a deliberate choice for opacity, allowing them to maintain fraud for months despite multiple public warnings. Protocols should require all risk curators managing deposits above a threshold to provide proof of reserves. The lack of proof of reserves should be treated as equivalent to a bank refusing external audits.

Evidence: The Collapse of Stream Finance

The collapse of Stream Finance provides a complete case study demonstrating how the risk curator model fails. The sequence of events reflects all the issues of the current architecture: insufficient due diligence, conflicts of interest, ignored warnings, opacity, and lack of accountability. Understanding this case in depth is a prerequisite for understanding why systemic change is necessary.

Timeline of Failures

172 days before the collapse, Yearn Finance developer Schlagonia examined Stream's positions and directly warned the team that the structure was destined to fail. A mere 5 minutes of analysis identified a fatal flaw: Stream's on-chain verifiable $170 million in collateral supported $530 million in borrowing across multiple DeFi protocols, with a leverage ratio of 4.1 times. The strategy involved recursive lending, where Stream borrowed against deUSD collateral to mint more xUSD, creating a circular dependency that guaranteed both assets would collapse simultaneously. The remaining $330 million in TVL was entirely in off-chain positions managed by anonymous external managers.

On October 28, 2025, industry analyst CBB published specific warnings along with on-chain data: "xUSD has only about $170 million on-chain supporting it. They borrowed about $530 million from lending protocols. This is 4.1 times leverage, and the positions are highly illiquid. This is not yield farming; it is extreme gambling." These warnings were public, specific, and accurate, identifying leverage ratios, liquidity risks, and the fundamental recklessness of the structure. In the following week, multiple analysts amplified these warnings.

Despite the ongoing warnings, risk curators continued to hold positions and attract new deposits. TelosC maintained a $123.64 million exposure, MEV Capital held $25.42 million, and Re7 Labs kept $27.4 million across two treasuries. The warnings were ignored because taking action would mean reducing positions, decreasing fee income, making risk curators appear to perform worse than those who continued to hold.

On November 4, 2025, Stream announced that an external fund manager had lost approximately $93 million, immediately suspending withdrawals. Within hours, xUSD plummeted from $1.00 to $0.23 on the secondary market, a drop of 77%. Elixir's deUSD (65% of reserves concentrated lent to Stream) collapsed from $1.00 to $0.015 within 48 hours, a drop of 98%. The total contagion exposure reached $285 million, with Euler facing approximately $137 million in bad debts and over $160 million frozen across multiple protocols.

Risk Curators vs. Traditional Brokers

Comparing DeFi risk curators with traditional brokers is enlightening, as it reveals what accountability mechanisms are lacking in the curator model. This is not an argument that traditional finance is an ideal model or that its regulatory structure should be directly replicated.

Traditional finance also has its failures, costs, and exclusivity. However, after centuries of costly lessons, it has gradually established accountability mechanisms, while the curator model explicitly abandons these mechanisms.

Technical Recommendations

The risk curator model does have its advantages: it achieves capital efficiency by allowing professionals to set risk parameters rather than adopting a "one-size-fits-all" protocol default; it promotes innovation by allowing experimentation with different strategies and risk frameworks; and it enhances accessibility by removing gatekeepers that may exclude participants based on scale, geography, or unfamiliarity.

These advantages can be retained while addressing the accountability issues exposed in November 2025. The following recommendations are based on empirical evidence from DeFi failures over the past five years:

1. Mandatory Identity Disclosure

Risk curators managing deposits above a threshold (suggested at $10 million) should be required to disclose their true identities to a registry maintained by the protocol or an independent entity. This does not require public disclosure of home addresses or personal details, but must ensure that risk curators can be identified and held accountable in cases of fraud or gross negligence. Anonymity is incompatible with managing others' funds on a large scale. Privacy reasons are often used to justify anonymity in DeFi, but this does not apply to entities earning fees for managing client funds.

2. Capital Requirements

Risk curators should be required to maintain a certain amount of risk capital, which would be deducted when their treasury losses exceed a specified threshold. This aligns incentives through "skin in the game." Specific structures could include: curators needing to stake collateral that gets deducted when treasury losses exceed 5% of deposits, or requiring curators to hold subordinated tranches of their own treasury to absorb first-round losses. Currently, the structure allows curators to earn fees without risk capital, creating moral hazard, which capital requirements can address.

3. Mandatory Information Disclosure

Risk curators should be required to disclose strategies, leverage ratios, counterparty risks, and risk parameters in a standardized format for comparison and analysis. Claims that disclosure would harm proprietary strategies are mostly excuses. Most curator strategies are merely variations on known yield farming techniques. Real-time disclosure of leverage ratios and concentrations will not harm alpha but will allow users to understand the risks they are taking.

4. Proof of Reserves

Protocols should require all risk curators managing deposits above a threshold to provide proof of reserves. Cryptographic techniques for verifiable proof of reserves are mature and efficient. Merkle trees can prove solvency without exposing individual positions, and zero-knowledge proofs can verify reserve ratios without disclosing trading strategies. A lack of proof of reserves should disqualify curators from managing deposits. This measure could have prevented Stream Finance from maintaining $300 million in unverifiable off-chain positions.

5. Concentration Limits

Protocols should enforce concentration limits to prevent risk curators from allocating excessive proportions of treasury deposits to a single counterparty. Elixir lent 65% of its deUSD reserves ($68 million out of $105 million) to Stream through a private Morpho treasury. This concentration ensured that Stream's failure would destroy Elixir. Concentration limits should be set at a maximum exposure of 10%-20% to a single counterparty and enforced at the smart contract level to avoid circumvention.

6. Protocol Accountability

Protocols that earn fees from risk curator activities should bear some responsibility. This could include: extracting an insurance fund from protocol fees to compensate users for losses caused by curator failures, or maintaining a list of curators, excluding those with poor records or insufficient disclosures. The current model, where protocols earn fees while completely denying responsibility, is economically unreasonable. Intermediaries that earn fees must bear accountability obligations.

Conclusion

The current implementation of the risk curator model represents an accountability vacuum, with billions of dollars in user funds managed by entities with no substantive constraints on behavior and no real consequences for failures.

This is not a denial of the model itself. Capital efficiency and specialized risk management do have advantages. However, the model must introduce accountability mechanisms, just as traditional finance has developed mechanisms through centuries of costly lessons. DeFi can develop mechanisms suited to its characteristics but cannot completely abandon accountability while expecting different outcomes from traditional finance in the absence of accountability mechanisms.

The current structure guarantees repeated failures until the industry accepts a fact: intermediaries that earn fees must bear responsibility for the risks they create.

[Original Link]