Remember the Terra/Luna collapse? One day you’re looking at $40 billion in “safe” yield, the next you’re holding pixels worth less than a candy bar. We’ve all watched friends lose life-changing money because the only risk tools we had were Total Value Locked charts and Twitter sentiment. Turns out those aren’t enough.
Yesterday something actually new landed in the Web3 security space, and honestly? It feels like the tool many of us have been waiting three years for.
The Missing Piece: Probability of Loss Comes to Crypto
HAI Group – the parent company behind Hacken – just released CORE.3, a completely open risk intelligence platform that does one thing really well: it tells you the actual mathematical probability that you’ll lose money interacting with a Web3 project.
Not “vibes-based” scoring. Not security checklists that every project can game. An actual Probability of Loss (PoL) number derived from more than 100 on-chain and off-chain data points.
In my view, this might be the closest thing we’ve seen to a “credit score” for crypto protocols. And unlike traditional ratings agencies, everything is transparent and projects can actually respond to their scores.
Why TVL and Sentiment Have Failed Us
Let’s be brutally honest for a second. Total Value Locked became the lazy metric of the 2021-2024 cycle. A project could borrow $500M, deposit it in their own protocol, and suddenly look “safe” with massive TVL. We saw this play out in real time.
Sentiment scoring? Even worse. I’ve lost count of how many “100% safe” projects with perfect community scores rugged two weeks later.
CORE.3 throws both of these in the trash where they belong and starts from a different question: “Given everything we can measure today, what’s the actual probability this project causes financial loss in the next 12 months?”
The goal isn’t to create another subjective rating. It’s to give the market a standardized, quantifiable risk metric that evolves with the data.
How the PoL Score Actually Works
The methodology is surprisingly elegant. They built a three-layer system:
- Conditions – Raw facts (was the audit remediated? Are admin keys multisig? Is there reserve proof?)
- Metrics – Grouped assessments (smart contract risk score, treasury transparency score, etc.)
- Categories – Weighted risk domains where security gets significantly higher weighting than “reputation”
Security vulnerabilities can swing your PoL by 30-40% on their own. A single unrenounced admin key? That’s an automatic massive penalty. This weighting actually makes sense – most money lost in crypto comes from exploit vectors, not “bad community vibes.”
The part I find genuinely clever? They created a completely separate “Proof-of-Opinion” layer for subjective stuff – team background, ecosystem relevance, marketing effectiveness – but none of this feeds into the PoL score. It keeps the core risk metric clean and quantitative.
What the First 50 Projects Reveal
The initial batch covers 50 protocols (mostly DeFi blue chips mixed with some newer players), and the results are… fascinating.
Some projects that look pristine on DefiLlama actually have shockingly high PoL numbers when you dig into admin key structure and upgradeability patterns. Others that the Twitter crowd loves to hate? Surprisingly solid scores once you strip away the noise.
Perhaps most interesting – several “fully audited” projects still carry elevated risk because those audits happened 18 months ago and the contracts have been upgraded multiple times since. The system catches this automatically.
| Risk Factor | Typical PoL Impact |
| Unrenounced admin keys | +25-40% |
| No recent audit (≤6mo) | +15-25% |
| Proxy upgrade pattern without timelock | +20-35% |
| Verified reserve proof | -15-25% |
| Multisig treasury with ≥5 signers | -10-20% |
These aren’t theoretical numbers – they’re what the platform is already showing in its first dataset.
The Open Framework Advantage
Here’s where CORE.3 gets really interesting: it’s completely open.
Any project can see their score at app.CORE3.io. More importantly, they can actively dispute data points, submit new evidence, and watch their PoL change in real-time as they fix issues.
Think about that implications. A protocol launches with a high PoL because they haven’t implemented a timelock yet. They add the timelock next week, submit the transaction proof, and watch their score drop 18% overnight. That’s powerful incentive alignment.
In my experience covering this space, most security improvements happen because someone got hacked. This creates a path where projects fix things before the exploit – because users can now see the risk in real numbers.
Why This Actually Matters in 2025
We’re entering what many are calling the “institutional adoption” phase of crypto. But institutions don’t care about your Telegram group size. They care about measurable, auditable risk.
When a family office asks “why should we allocate to this yield protocol instead of Aave?”, being able to point to a 9% PoL versus Aave’s 23% PoL is the kind of answer they understand.
More importantly, regular users finally get something better than “trust me bro” security. You can look at two similar farming protocols and immediately see which one has proper admin key management, recent audits, and transparent reserves.
The Road to 1,000+ Projects
The team says they’ll scale to over 1,000 projects within three months. Given Hacken’s existing data infrastructure, this feels achievable.
What happens when every meaningful DeFi protocol has a public PoL score? My guess – we’ll see a genuine flight to quality. The projects that invest in real security (not just paid audit badges) will win the capital.
The ones cutting corners? They’ll either fix their issues or watch their TVL evaporate as users migrate to lower-PoL alternatives. In a weird way, this might be the market mechanism we’ve needed to actually punish bad security practices.
Final Thoughts: A New Standard Is Born
Look, I’ve been extremely skeptical of every “crypto rating” platform that’s launched since 2018. They all suffered from the same problems – opaque methodology, pay-to-play dynamics, or just regurgitating existing data.
CORE.3 feels different. The methodology is public. The data sources are verifiable. Projects can improve their scores through actual security upgrades, not marketing spend.
Most importantly? It’s asking the right question: not “does this project look safe?” but “what’s the actual probability I’ll lose money here?”
In a space that’s lost hundreds of billions to preventable exploits, having that number – transparent, standardized, and actionable – feels like the maturity marker we’ve been waiting for.
The next few months are going to be fascinating. As more projects get scored and users start making decisions based on PoL instead of marketing, we’re probably going to see some established names take serious reputation hits.
And honestly? That’s exactly what this industry needs.
