Screening DeFi transactions is a different discipline from screening centralised exchange transactions. A single swap on a DEX aggregator can touch a dozen smart contracts, two intermediate wallets, and an oracle — none of which reflect "counterparty" in the way a compliance officer typically thinks about it. This guide walks through how to screen DeFi activity without drowning in noise.
Step one: understand the actors. In a typical DeFi interaction, there are three distinct addresses to consider: the user's externally-owned account (EOA), the protocol's smart contract(s), and the ultimate source or destination of the funds. Screening only the first two will miss most of the risk signal. Screening all three generates a lot of output.
Step two: segment protocols by risk category. A user interaction with Uniswap is categorically different from an interaction with a sanctioned privacy mixer. Our internal taxonomy divides DeFi protocols into seven categories: clean DEX, clean lending, clean staking, restricted DEX, privacy mixer, bridge, and "other". Each category carries a default risk weight that you can tune.
Step three: pay attention to the bridge layer. Cross-chain bridges are the single most common laundering vector in 2025–2026. A user who bridges from Ethereum to Arbitrum to BNB Chain in quick succession is behaving anomalously regardless of the clean-or-not status of the component bridges. Volume, timing, and chain-hop patterns matter more than protocol identity.
Step four: check oracle and relayer addresses. Some protocols use relayer networks (for meta-transactions) or decentralised oracles that can introduce risk exposure unrelated to the user's intent. We maintain a list of clean relayers and oracles; interactions with unlisted ones should be treated as a yellow signal for further review.
Step five: reconcile with CEX activity. Many DeFi users are also CEX users, and the points of exit to fiat are typically the CEX layer. Where the same counterparty appears in both a DeFi and a CEX context, the combined record is a stronger signal than either alone. Our entity-level attribution links addresses across this boundary where the evidence supports it.
Common pitfalls. Teams new to DeFi screening often either over-flag or under-flag. Over-flag: every interaction with any smart contract is treated as elevated risk, producing a backlog of tickets that wastes analyst time and yields no real insight. Under-flag: clean DEX interactions are treated as safe without looking at where the funds came from or went to, missing the laundering layer on top of a clean transaction.
The discipline is to think in terms of net risk — the combined signal from the user EOA, the protocol category, the bridge pattern, and the ultimate source/destination. That's how our risk engine is designed, and it's the model we recommend embedding into your analyst workflow.
A note on LP positions. Liquidity-provider positions introduce unique challenges: funds are comingled with other LPs, and the counterparty to any swap against the pool is ambiguous. Our scoring treats LP provision as a structurally neutral act but examines the LP's previous flow history and the pool's composition. Pools with concentrated sanctioned exposure score worse regardless of the LP's personal history.
A note on staking. Staking is generally low-risk, but validator selection matters. Validators associated with sanctioned custodial operations inherit that taint; validators run by clean operators do not. For large institutional stakers, validator-level attribution is increasingly important.
The field is moving quickly. What works today may not work in six months. Our research team publishes quarterly DeFi screening updates, and our API reflects methodology changes with semantic versioning so integrations remain stable. If you're starting a DeFi screening programme, please reach out — we have a fast-start engagement that gets most teams productive in under two weeks.
