Crypto due diligence is getting more “institutional” fast. A clear signal came on January 22, when BitGo went public in the U.S., putting custody and controls back at the center of the conversation. At the same time, U.S. regulators are publishing new guidance on how securities laws apply when assets move on-chain, including “tokenized securities.”
And the risks are not theoretical. Industry trackers estimated roughly $400 million in crypto losses from exploits in January, with one major incident accounting for most of the damage. Markets have also been jumpy, with sharp price moves and options markets showing higher “tail risk,” a fancy term for bigger-than-normal downside swings.
This is why investors need one unified framework. Not five separate checklists. Below is a practical model you can use like a credit committee would: layered, linked, and built for stress tests.
Why Billionaires Are Stockpiling This "Boring" Token
The world's largest financial institutions are building massive positions in a protocol most retail investors consider too "unsexy" to notice. As markets are volatile with recent whale sell-offs, this coin continues setting transaction records while flying almost completely under the radar.
What Happened
Many investors still split crypto risk into neat boxes: custody risk goes to ops, compliance goes to legal, liquidity goes to trading, and governance goes to the “crypto team.” That structure breaks when something goes wrong.
A single phishing attack can start as an operational failure, turn into a custody problem, trigger legal disclosures, freeze liquidity, and end in a governance fight about who pays users back. January’s loss numbers are a reminder that the “how” of failure matters as much as the “what.”
Meanwhile, regulators are also connecting the dots. On January 28, the U.S. Securities and Exchange Commission published a staff statement that lays out how it is thinking about tokenized securities and the rules that may apply.
Why It Matters
A unified framework helps institutions answer one core question: What can break, how does it spread, and what stops it? In crypto, failure often cascades across teams and vendors.
Think of it as a stack, from the most basic controls to the most crypto-native risks:
1) Operational risk (people, process, plumbing)
This is where most disasters start. Key management, access control, vendor permissions, incident response, and basic segregation of duties all sit here.
Key checks:
Who can move assets, and under what approvals?
How are keys stored (HSMs, MPC, cold storage), and who audits it?
What happens at 2 a.m. during an incident?
2) Legal and compliance risk (rules, disclosures, and enforceability)
Crypto structures can look simple until you read the contracts. Is your custody agreement clear about title, bankruptcy treatment, and sub-custodians? Are you holding something that could be treated as a security?
The SEC’s tokenized securities statement matters because it highlights that “format” does not erase securities-law questions. If you are underwriting tokenized exposure, your legal layer has to sit inside your product design, not after it.
3) Counterparty risk (who you rely on)
Even “on-chain” strategies usually have off-chain dependencies: exchanges, OTC desks, custodians, prime brokers, market makers, stablecoin issuers, and administrators.
A good counterparty review looks a lot like traditional finance:
Financial strength and disclosures
Operational resilience and outage history
Concentration risk (too many eggs in one vendor)
The renewed spotlight on custody firms, including public listings like BitGo’s, is partly about proving those controls to the market.
4) Market and liquidity risk (exits, spreads, and stress)
Crypto liquidity can vanish when you need it most. When volatility spikes, spreads widen, slippage jumps, and leverage unwinds.
Recent market coverage has pointed to rising tail risk as liquidations build and hedging demand increases. That matters because many portfolios assume they can rebalance quickly. In crypto, that assumption can fail fast.
5) Protocol and governance risk (the code and the humans)
This is the “crypto-native” layer: smart contract bugs, oracle failures, bridge risk, admin keys, validator concentration, and governance capture.
Governance is not just “voting.” It is your last line of defense in a failure:
Can the protocol pause?
Who controls upgrades?
How quickly can parameters change?
Opportunities and Risks
A stacked framework lets institutions scale crypto exposure with clearer limits. You can say “yes” to crypto while still refusing specific failure modes, such as bridges, unaudited contracts, or protocols controlled by a single admin key. Clearer guidance on tokenized securities could also help on-chain capital markets mature over time by making rules, disclosures, and investor protections easier to standardize.
If you treat the layers as separate, you will miss how risks combine and cascade. January’s exploit totals are a reminder that one weak link can dominate outcomes even when other controls look strong. And more regulatory clarity can raise the bar, not lower it, meaning more compliance work and more enforcement exposure for firms that move too fast or document too little.
Investor Takeaway
Use the Crypto Risk Stack as your underwriting map:
Start at the bottom: operational controls and custody design.
Move up: legal/compliance and counterparty resilience.
Then price the trade: liquidity under stress, not in calm markets.
Finally, underwrite the protocol: upgrades, admin powers, and governance failure modes.
The key is to run one integrated stress test: “If X fails, what breaks next?” If you cannot answer that across custody, counterparties, compliance, liquidity, and governance, you are not doing institutional-grade diligence yet.
Conclusion
Crypto risk is not a set of separate risks. It is a connected system.
The investors who win over the next cycle will not be the ones with the most tokens. They will be the ones with the cleanest failure maps—and the discipline to size exposure to what they can truly control.
Stay sharp,
The Crypto Compass
