Holding USDT or USDC feels close to holding dollars, so the yield earned on top of them is often treated as low-risk by default. That assumption broke on March 11, 2023, when USDC traded as low as $0.87 after Silicon Valley Bank disclosed exposure, and again when Celsius froze withdrawals in June 2022 and locked up $4.7 billion in customer assets. The yield itself was never the problem in those moments. The deposit, the custodian, the peg, and the contract underneath were. This article maps the distinct risks between deposit and withdrawal, from smart contract exploits and oracle failures to depegs, CeFi counterparty collapse, and governance attacks, and shows which concrete checks cut each one down: SlowMist audits, reserve attestations, TVL thresholds, U.S. MSB registration, and self-custodial design.
Why Stablecoin Yield Feels Safer Than It Is
The phrase “stablecoin yield” pairs two ideas, stable and yield, that the market tends to read as one. In practice, the stablecoin is only the unit of account; the yield comes from a separate machine that touches lending markets, market making, validator rewards, or counterparty credit. That machine breaks in ways the stablecoin’s $1 reference price cannot insulate against.
A useful frame is to separate the lifecycle into three independent failure links: the deposit into a platform, the use of the asset in the middle, and the withdrawal back to a wallet. Each link has its own attack surface: deposits can be misappropriated, the middle can be exploited by code or oracle, and withdrawals can be blocked by a peg break, a frozen platform, or a sanctions list. The same lifecycle applies even when simply parking idle stablecoins for yield without active trading.
The March 11, 2023 episode is the cleanest example. Circle disclosed $3.3 billion of USDC reserves at Silicon Valley Bank, the bank failed, and USDC traded down to $0.87 before recovering. The yield product holding that USDC kept showing APY through the entire weekend. Celsius is the second example: $4.7 billion in customer assets were frozen in June 2022, while the dashboard continued to display an interest rate next to a balance that could not be moved.
Five Categories of Yield Risk Between Deposit and Withdrawal
The risks are not a single spectrum from “safe” to “risky.” They are five distinct failure modes, and a product can be strong on four and fatal on the fifth.
Smart Contract Risk
Mechanism:
flawed code in a lending pool or vault is exploited through bugs, flash loan attacks, or reentrancy, draining deposited stablecoins in a single transaction. The yield contract is the locked vault holding everyone’s USDT or USDC, so a contract failure is usually a total-loss event for that pool.
Past events:
the Euler Finance exploit in January 2023 drained $197 million through a donation-and-liquidation bug, and the Cream Finance attack in October 2021 lost $130 million through a flash-loan-driven price manipulation. Both protocols had been audited before the events.
Hard indicator:
public audit reports from SlowMist, OpenZeppelin, or Trail of Bits, with re-audits across versions, dated within the last 12 months, and linked from official documentation.
Oracle Risk
Mechanism:
a yield protocol depends on a price feed to value collateral and trigger liquidations; manipulating that feed distorts collateral ratios and lets an attacker borrow far more than the deposit should support.
Past event:
the Mango Markets exploit in October 2022 cost $114 million when an attacker pushed the MNGO price up on thin liquidity, used the inflated mark as collateral, and borrowed out the treasury.
Hard indicator:
multi-source feeds (Chainlink plus an independent provider), use of TWAP (time-weighted average price) rather than spot, and documented circuit breakers if feeds diverge beyond a set threshold.
Depeg Risk
Mechanism:
the stablecoin itself loses its $1 reference because reserve assets are stressed, a custodian fails, or panic selling overwhelms redemption capacity. Yield denominated in a depegged coin loses real value even if the contract pays out correctly.
Past events:
USDC dropped to $0.87 on March 11, 2023 after SVB exposure was disclosed, and USDT faced repeated questions during 2021–2022 over the commercial paper share of its reserves before shifting toward Treasury bills.
Hard indicator:
Circle’s monthly attestation for USDC and Tether’s quarterly attestation for USDT, plus disclosed issuer bank diversification so that no single banking partner holds a majority of reserves.
CeFi Counterparty Risk
Mechanism:
a centralized platform holds customer assets in its own wallet, then misappropriates them, lends them to a related entity, or runs a liquidity mismatch between short-term deposits and long-dated bets. When the bet sours, withdrawals freeze.
Past events:
Celsius froze withdrawals in June 2022 with $4.7 billion in customer assets locked, FTX collapsed in November 2022 with roughly $8 billion in customer funds missing, and BlockFi filed for bankruptcy weeks later.
Hard indicator:
self-custody (keys held by the depositor, not the platform), a U.S. MSB registration or equivalent license, and explicit customer asset segregation documented in terms of service rather than implied.
Governance and Regulatory Risk
Mechanism:
concentrated holders of a governance token vote in changes that drain a treasury or alter parameters in their favor; separately, protocols can be sanctioned at the smart-contract level, and front-ends can be forced to block addresses.
Past events:
Tornado Cash was sanctioned by OFAC in August 2022, freezing the protocol and the assets of compliant users routing through it, and the Beanstalk governance attack in April 2022 drained $182 million after an attacker used a flash loan to buy temporary voting majority.
Hard indicator:
disclosed issuer jurisdiction, governance token distribution showing no single holder above a published threshold, and U.S. compliance entity backing for protocols serving U.S. users.
The Concrete Checks That Cut Each Risk Down
Each of the five categories above maps to a document or on-chain fact that can be verified in roughly ten minutes. The point is not to memorize the risks; it is to confirm the documents exist before any USDT or USDC moves.
- Audit report links and dates → cuts down smart contract risk. Look for SlowMist, OpenZeppelin, or Trail of Bits, with the most recent report dated within the last year, and check that the audited contract addresses match the live ones.
- Multi-source oracle plus TWAP → cuts down oracle risk. The documentation should name the providers and the averaging window.
- Monthly reserve attestation plus bank list → cuts down depeg risk. For USDC the source is Circle’s monthly report; for USDT the quarterly attestation; both should list issuer banks and asset composition.
- MSB registration plus self-custody design → cuts down CeFi counterparty risk. MSB numbers are searchable on FinCEN; self-custody is verifiable by signing transactions from a personal address.
- Governance token distribution plus regulatory jurisdiction disclosure → cuts down governance and regulatory risk. Top-holder lists are public on most chains; jurisdiction should be stated in the legal terms.
The summary rule is simple: APY is not an indicator; verifiable documents are. A higher APY without one of these documents is a higher price for the same uncertainty.
How BenPay Approaches Compliance and Custody
BenPay is a one-stop on-chain financial platform: store, earn, spend, and transfer in one self-custodial account.
Consider a concrete scenario: a holder of 50,000 USDC deposits into BenPay’s earn account. The assets are managed through a self-custodial address on the BenFen chain that is signed by the holder, so the platform never controls the private key. The platform entity holds U.S. MSB registration, and the underlying yield contracts are audited by SlowMist.
That single setup maps directly to the five risk categories. Self-custody eliminates CeFi counterparty risk because there is no internal balance for a platform to freeze or misappropriate, in contrast to the $4.7 billion Celsius freeze pattern. SlowMist audits reduce smart contract risk by surfacing the class of bugs that drained Euler and Cream. MSB registration addresses regulatory risk by binding the platform to U.S. anti-money-laundering rules and a known jurisdiction.
On the oracle side, BenFen uses multi-source price feeds so that a single manipulated venue cannot distort collateral valuation in the way that cost Mango Markets $114 million. On the peg side, restricting earn balances to mainstream stablecoins (USDC and USDT) with monthly or quarterly attestations reduces depeg risk to the auditable variety, rather than the algorithmic-stablecoin variety that erased Terra in 2022.
Risk-by-Product Matrix: CeFi vs DeFi vs BenPay
| Product | Smart Contract | Oracle | Depeg | Counterparty | Governance / Reg | Key Safeguard |
|---|---|---|---|---|---|---|
| Centralized exchange earn | Low | Low | Medium | High | Medium | Brand reputation |
| DeFi lending protocol | Medium | Medium | Medium | Low | Medium | Public audits + TVL |
| Algorithmic stablecoin farming | High | High | High | Low | High | None reliable |
| BenPay self-custody yield | Medium | Low | Low | Low | Low | MSB + audit + self-custody |
Interpretation. A centralized exchange earn product is always High on counterparty risk because the user balance is an IOU on the exchange’s books; the FTX and Celsius collapses showed that brand reputation does not change the legal status of that IOU. A direct breakdown of DeFi yield versus exchange Earn covers how the IOU structure differs from on-chain positions. A DeFi lending protocol cannot reach zero on smart contract risk because the contract is the custodian. Even with three audits, the Euler and Cream losses happened to audited code, so the residual risk is real. Self-custody scores Low on counterparty and regulatory simultaneously for a different reason: with keys held by the depositor and a licensed MSB operating the interface, there is no entity that can freeze the balance and no jurisdictional grey zone inviting enforcement.
Choosing Yield by Risk Tolerance
Risk tolerance is not a personality trait; it is a function of how much of a portfolio can absorb a total loss in any one product.
- Conservative. Only products that combine MSB registration, monthly reserve attestation on the underlying stablecoin, and self-custodial design. Target APY is whatever the market offers under those constraints, not a number set in advance.
- Balanced. Add audited DeFi protocols with TVL above $500 million, on the reasoning that TVL above that threshold indicates sustained scrutiny from on-chain analysts and white-hat researchers. Position size per protocol stays moderate.
- Aggressive. Newer protocols are acceptable, but any single position is capped at 10% of holdings, and a depeg auto-redemption threshold is set in advance (for example, auto-exit at $0.97 on the underlying stablecoin) so that a 2023-style event triggers an exit before the bottom rather than after it.
The tiers are not a ranking. They are a way to match the size of a possible loss to the size of a position before the loss happens.
FAQ
1. What was the actual cause of the USDC depeg in March 2023, and could it happen again?
The cause was Circle’s disclosure of $3.3 billion of reserves at the failing Silicon Valley Bank, which created uncertainty about full redemption until the FDIC backstop was announced. It could happen again on any single-bank concentration event, which is why issuer bank diversification is now part of reserve disclosure.
2. Is USDT or USDC safer for yield products in 2026?
USDC carries monthly attestations and a U.S.-regulated issuer, while USDT carries quarterly attestations, larger market depth, and broader DeFi integrations. Neither is universally safer: USDC has tighter regulatory clarity, while USDT has greater liquidity under stress.
3. How can a SlowMist audit be verified, and what does it actually cover?
SlowMist publishes audit reports on its official site with a report ID, audited contract addresses, and a list of findings. The audit covers code-level vulnerabilities such as reentrancy, integer overflow, and access control, but does not certify economic or governance design.
4. Why did self-custodial users avoid losses during the FTX and Celsius collapses?
Self-custodial users held their own private keys, so their assets were never on the platform’s balance sheet and were never part of the bankruptcy estate. The freezes and clawbacks applied only to balances the platform itself controlled. Exit speed also depends on DeFi withdrawal liquidity at the moment of redemption.
5. What does U.S. MSB registration require, and why does it matter for a yield platform?
MSB registration with FinCEN requires the entity to implement an anti-money-laundering program, file suspicious activity reports, and accept federal oversight. It matters because it places the platform in a known U.S. regulatory perimeter rather than an undisclosed offshore one. The risk-return tradeoff is also worth weighing compared to a bank savings account protected by FDIC insurance.