- May 4, 2026
OpenZeppelin
OpenZeppelin
Financial institutions are no longer asking whether to deploy onchain. They are asking which network, with what guarantees, and what happens when something goes wrong - and their regulators are demanding answers.
In December 2025, JPMorgan launched its first tokenized money market fund on Ethereum, seeded with $100 million of its own capital. By mid-2025, 10 of the top 10 tokenized money market funds by market cap were built using OpenZeppelin Contracts. BCG and Ripple estimate the tokenized asset market will reach $18.9 trillion by 2033. In April 2026, Jamie Dimon's shareholder letter named blockchain, stablecoins, and tokenization as direct competitive threats to JPMorgan's core operations.
Regulators have moved in step. The Basel Committee's cryptoasset exposure standards took effect in January 2026. France's AMF formally reminded providers that MiCA's transitional period ends on 1 July 2026, after which unauthorized providers face criminal liability. The FSB's October 2025 thematic review flagged that supervisory intensity will rise as crypto frameworks shift from development to enforcement.
Supervisory authorities across the globe have made clear that blockchain infrastructure carries the same operational risk expectations as any other critical dependency. For example, the EU’s Digital Operational Resilience Act applies equally to traditional financial activities under MiFID II and crypto asset activities under MiCA. This requires regulated institutions to translate principles-based prudential requirements into specific, evaluable risks and controls tailored to the nature of blockchain technology: operational resilience, settlement assurance, governance accountability, third-party concentration risk.
The first critical question regulators are asking is the one most institutions are least prepared for: how was the underlying network evaluated before client assets were placed on it?
The Gap in Current Blockchain Network Selection
The typical approach to blockchain network selection tends to be informal. Teams evaluate throughput benchmarks, liquidity, developer ecosystem size, and which networks competitors have chosen. These are useful inputs, but they are not the same as a risk assessment. The same metric carries different implications across networks, and a defensible answer requires a structured framework, not a benchmark sheet.
Take finality. Some networks offer deterministic finality, where confirmed transactions are irreversible by protocol design. Others offer economic finality, where reversal is theoretically possible but would force an attacker to destroy a known amount of staked collateral. A third category offers probabilistic finality, where confidence grows with time but the protocol never formally declares transaction finality. These are different design choices, with different operational and legal implications.
An institution representing settlement finality to its regulator needs to understand which model underlies the network it is building on, what can happen if it is tested, and how it is prepared to take action accordingly.
OpenZeppelin's Technical Risk Assessment
OpenZeppelin has published a Technical Risk Assessment covering six major blockchain networks: Ethereum, Solana, BNB Smart Chain, XRP Ledger, Tron, and Canton.
The Technical Risk Assessment is OpenZeppelin's methodology for evaluating risk across blockchain systems. OpenZeppelin’s Technical Risk Assessment methodology can also be applied to protocols, digital assets, and other critical infrastructure components such as bridges and oracles. This network assessment covers six major networks. The same methodology applies to additional networks and to other onchain infrastructure layers.
The methodology draws on public documentation, onchain data, incident records, and governance practices. It is reproducible, evidence-based, and network-agnostic. It does not rank networks or recommend one over another. It surfaces the structural trade-offs that are usually invisible to a benchmarking exercise but unavoidable in a regulatory submission.
Six key risk dimensions surface consistently across our work:
|
Dimension |
The question regulators ask |
|
Maturity & operational track record |
How has the network performed under stress? |
|
Finality |
What guarantee does the network offer, and what backs it? |
|
Technical resilience & concentration |
Where are the single points of failure (clients, geography, hosting)? |
|
Governance & authority |
Who can change the rules, how fast, and with what consensus? |
|
Continuity & sustainability |
Can the network survive the failure of its primary sponsor? |
|
Network activity & adoption |
Does usage support institutional-scale deployment? |
What the Technical Risk Assessment on Blockchain Networks surfaces
The six networks assessed differ fundamentally in design intent. Some are general-purpose programmable platforms, and others are purpose-built for institutional financial workflows with privacy as a default. Some prioritize maximum decentralization, others prioritize throughput through a smaller validator base. Reading the findings without that context risks treating design choices as defects, or vice versa.
- Operational track records vary by an order of magnitude. The networks assessed range from over a decade of production history to just over a year. Five of the six have experienced at least one period of disrupted transaction processing. Recovery mechanisms differ as well: some networks self-recovered through protocol logic, others required coordinated patches and validator action. Length, cause, and recovery model each carry different implications for business continuity planning.
- Geographic and infrastructure concentration ranges from broadly distributed to over 90% concentrated in three jurisdictions. At least one network in scope had a major hosting provider block validator access, taking a significant share of the validator set offline in a single event. Validator counts alone do not capture this dimension of risk.
- Insider token allocations at genesis range from approximately 17% to over 90% across the assessed networks. In stake-weighted networks, this translates into governance authority. The minimum capital required to unilaterally influence consensus through token acquisition ranges from billions to tens of billions of dollars depending on the network.
- No network assessed has implemented quantum-resistant cryptography in production. Roadmap visibility ranges from active research with published timelines to no publicly documented plans. Migrating live financial infrastructure to post-quantum cryptography requires preparation timelines measured in years.
- Client diversity varies significantly. Some networks run a single codebase across the validator set; others run multiple independent implementations. Where a single codebase dominates, a critical vulnerability affects every validator simultaneously, with no diversity of implementation to contain the damage.
No network emerged as uniformly superior across all dimensions. Each presents a distinct combination of design choices and trade-offs. The Technical Risk Assessment's purpose is not to rank, but to make those trade-offs legible.
What a Defensible Network Selection Looks Like
Regulatory and license applications are not a simple question-and-answer exchange. Institutions must submit a comprehensive application that explains why their chosen infrastructure is appropriate for the nature of their activity and how they meet their regulatory obligations. A robust application, complete with independent reports from third-party experts, helps to fast track approvals and reviews.
A submission that holds up under regulatory standards cannot rest on a benchmark sheet or a handful of headline metrics. When assessing blockchain networks, it requires examining each network across the dimensions that map onto regulatory requirements — maturity, finality, technical concentration, governance, continuity, and adoption — at the granularity supervisors expect: uptime and impact, incident records, validator distribution, geographical distribution, client diversity, slashing economics, governance cadence, audit history, post-quantum posture, and the specific concentration vectors that emerge from each network's design.
OpenZeppelin's Technical Risk Assessment examines blockchain networks across approximately 25 factors, grouped under the six dimensions above. The output is not a scorecard. It is a documented decision-making foundation an institution can include in its own submission, designed to withstand scrutiny across jurisdictions.
Get the full Technical Risk Assessment on Blockchain Networks.
Submit your details to access the full report.
FAQs
1. What is a Technical Risk Assessment for a blockchain network?
A Technical Risk Assessment is a structured evaluation of a blockchain network's operational, governance, and security characteristics. For example, it examines how the network performs under stress, what guarantees it provides for transaction finality, where its single points of failure sit, and how its governance is distributed. OpenZeppelin's Technical Risk Assessment applies a consistent methodology that can be applied across networks, protocols, tokens, and other digital assets.
2. What are the six dimensions OpenZeppelin uses to assess blockchain network risk?
OpenZeppelin's Technical Risk Assessment on Blockchain Networks evaluates six key dimensions: maturity and operational track record, finality, technical resilience and concentration, governance and authority, continuity and institutional sustainability, and network activity and adoption. These dimensions evaluate operational resilience, settlement assurance, third-party concentration risk, and governance accountability principles found in applicable regulations.
3. What is the difference between deterministic, economic, and probabilistic finality?
Deterministic finality means a confirmed transaction is irreversible by protocol design. Economic finality means reversal is theoretically possible but would force an attacker to destroy a known amount of staked collateral. Probabilistic finality means confidence in irreversibility grows with each new block, but the protocol never formally declares a transaction final. Each model carries different implications for settlement assurance.
4. Why are financial regulators asking about blockchain network selection?
Supervisory authorities treat blockchain infrastructure as a critical dependency subject to the same operational risk expectations as any other technology. Regulators expect thorough due diligence regarding network selection, including a documented evaluation of factors like the network's operational history and incident response record, an assessment of its finality model and settlement implications, an accounting of governance concentration and the continuity risks. This diligence is bolstered by a comparison against alternative networks. OpenZeppelin's Technical Risk Assessment is designed to equip financial institutions for regulatory compliance.
5. How can a financial institution access the full Technical Risk Assessment on Blockchain Networks?
The full Technical Risk Assessment on Blockchain Networks is available on request. Submit your details through the form on this page and you'll get the report immediately, with a copy sent to your inbox for future reference. The report supports network selection, due diligence documentation, and regulatory submissions for institutions deploying onchain.