Bottom line: a curated DeFi yield vault that pools deposits, follows a curator-set strategy and issues a redeemable share token will, on most fact patterns, sit inside MiCAR, AIFMD or MiFID II, often more than one at once. The "fully decentralised" exemption in Recital 22 rarely helps once a named curator, upgrade key or fee-recipient multisig exists.
Last updated: July 2026 · Reviewed by Vladislav Linko, Associate, Hedman Law Firm · Topics: MiCAR, AIFMD, MiFID II, DeFi yield vaults
DeFi yield vaults have quietly become one of the largest categories in on-chain finance. Curated lending vaults on Morpho alone now hold over $10 billion in deposits[1], while Aave reached a 2025 peak of $75 billion[2], figures that put the biggest DeFi yield platforms in the same league as mid-sized traditional asset managers. To a user, a vault looks like a savings product: deposit a stablecoin, receive a share token, watch the balance grow. To a regulator, the same arrangement can look like a pooled investment fund, a discretionary portfolio-management mandate, or an unregistered securities offering. Which lens applies depends on details that vault marketing pages rarely emphasise: who controls the strategy, how the yield is generated, and what rights the token gives the holder.
The collapse of Stream Finance and Elixir in November 2025 moved all three lenses from theory to practice. A single $93 million loss, disclosed by an external fund manager, cascaded into roughly $285 million of cross-protocol bad debt and depegged Elixir's deUSD by 98% within days[3][4]. The post-mortems converged on the same diagnosis: what looked on the surface like a "DeFi protocol" was, in substance, an opaque and highly leveraged off-chain asset-management arrangement wrapped in a smart contract. This is precisely the type of structure that EU fund and securities laws have spent decades regulating.
This piece explains how European law characterises these arrangements, and where the regulatory exposure sits for teams building or operating yield vaults that touch EU users.
Key takeaways
- Curated yield vaults have grown into one of the largest categories in on-chain finance, but the legal architecture sitting underneath them (pooled deposits, a curator setting the policy, a pro-rata share token) maps cleanly onto definitions written for regulated services.
- The November 2025 Stream Finance / Elixir collapse caused approximately $285 million of cross-protocol bad debt, with $68 million of that on Elixir alone, and a 98% depeg of deUSD, driven not by a smart-contract bug but by an off-chain external fund manager's $93 million loss.
- Three EU regimes can apply to a yield vault, often in parallel: the Alternative Investment Fund Managers Directive (AIFMD), MiCAR's portfolio-management-of-crypto-assets service under Article 3(1)(25) and crypto custody under Article 3(1)(17), and, if the vault token has built-in yield mechanics, MiFID II and the Prospectus Regulation. Recital 22's "fully decentralised" carve-out is narrower than vault marketing pages tend to assume.
- BaFin's 2025 action against Ethena's sUSDe is the template every yield-bearing token issuer should now plan around: an NCA reviewing a MiCAR notification can decide on substance review that the token is a financial instrument, push it out of MiCAR scope under Article 2(4)(a), and pursue prospectus-liability claims against the issuer and its management.
Quick self-check: how exposed is your vault?
Tick everything that applies to your vault or token, then use the guidance below.
- Deposits from multiple users are pooled into one contract or strategy
- A named curator, strategist, or risk team sets and rebalances the strategy
- Depositors have no individual say over allocation decisions
- The vault issues a share or receipt token whose value is linked to yield
- There is an upgrade key, admin role, or fee-recipient multisig held by an identifiable party
- Some allocations go to off-chain managers or counterparties
- The vault or token is or will be marketed to EU users
There is regulatory risk even if just one of the boxes is ticked.
From passive deposits to on-chain discretionary asset management
A modern yield vault is a smart contract (usually built around the ERC-4626 standard) into which users deposit a single asset and receive a share token in return. The contract pools the deposits and deploys the capital across one or more yield strategies: lending on money markets, providing liquidity on decentralised exchanges, posting collateral in yield-trading protocols, holding staked-ETH derivatives, running delta-neutral basis trades against perpetual futures, or, in some hybrid cases, allocating capital to off-chain professional fund managers.
The strategy is set, monitored and rebalanced not by the depositor but by a "curator" or "strategist", typically an identifiable professional risk team, that earns a performance fee on the yield it generates. Depositors generally have no governance rights over individual allocation decisions; they pick a curator the way a traditional investor picks a fund manager. Morpho Vaults V2, launched in June 2025, formalised this with role-segregated governance (Owner, Curator, Allocator, Sentinel), an adapter system, in-kind redemption and optional KYC gates[5].
The market has also concentrated around a small number of large platforms. Morpho's curated lending vaults sit at over $10 billion in TVL; Aave ended 2025 at $55 billion of deposits after a $75 billion peak[2]; Pendle has retraced from a September 2025 peak of $13.1 billion to roughly $1.5 billion[6]; Sky's sUSDS savings rate product crossed $4 billion in November 2025[7]; Ethena's sUSDe sits around $2.1 billion. These are no longer experimental products. They are large pools of capital, professionally allocated and increasingly marketed to both retail and institutional users.
The Stream Finance collapse: a $93 million reminder of what vaults can become
Stream Finance was a yield-aggregation protocol that issued an over-collateralised "synthetic stablecoin" (xUSD) along with xBTC and xETH derivatives. Its strategy combined on-chain looping (analysts identified roughly 7.6x leverage in some positions) with allocations to external fund managers operating off-chain.
On 3 November 2025, Stream announced that "an external fund manager overseeing Stream funds disclosed the loss of approximately $93 million in Stream fund assets" and engaged Perkins Coie LLP to investigate[3]. Within hours, xUSD depegged from $1 to between $0.07 and $0.14. Yields and More (YAM) and Sentora subsequently identified approximately $285 million of outstanding loans collateralised by Stream's xUSD, xBTC and xETH across five lending protocols on six chains[4]. Elixir Network had lent roughly $68 million to Stream through private Morpho vaults, about 65% of the collateral backing its deUSD stablecoin, according to on-chain analysis by Nansen[8]. When Stream froze redemptions, deUSD collapsed 98%, from $1.00 to as low as $0.015. Stable Labs' USDX, which used xUSD as collateral, depegged in turn. Roughly $1 billion flowed out of DeFi yield platforms in the week that followed.
$285 million
Estimated cross-protocol bad debt cascading from the November 2025 Stream Finance / Elixir collapse, driven by a $93 million off-chain external manager loss, not a smart-contract failure[4].
For European regulators, the legally important point is not only the size of the loss but the mechanism behind it. The collapse was not a smart-contract exploit. It was a discretionary asset-management failure: an off-chain manager, allocating pooled investor capital under an investment policy, making loss-making allocation decisions. PeckShield, Chaos Labs and YAM all noted that Stream did not maintain a comprehensive proof-of-reserves dashboard and that on-chain user deposits diverged sharply from claimed deployed assets[4]. Any AIFMD-licensed fund would be forbidden from running that way. The Stream case does not, by itself, cause a regulatory consequence. But it makes the regulatory question impossible to ignore: at what point does a "DeFi yield vault" stop being software and start being a regulated activity?
The three ways EU regulators can classify a yield vault
European law gives regulators several routes into a yield vault, and they are not mutually exclusive. A single arrangement can sit inside two or three regimes at once.
The first route is AIFMD. ESMA's 2013 Guidelines on key concepts of the AIFMD set out four cumulative criteria. An entity is an Alternative Investment Fund if it is a "collective investment undertaking" pooling capital with a view to generating a pooled return; it raises capital from a number of investors; it does so on the basis of a defined investment policy; and unitholders as a collective group have no day-to-day discretion or control[9]. A typical curated vault can meet all four on its face: pooled deposits, a curator-defined policy filed on-chain, a pro-rata share token, and no individual investor governance over rebalancing. ESMA's December 2024 Guidelines on the qualification of crypto-assets as financial instruments reinforce this for the on-chain context, providing a near-direct description of a curated yield vault and concluding that such a token "should be considered as a unit in a collective investment undertaking"[10]. Importantly for DeFi, the same Guidelines specify that "it is not relevant whether decisions are made by humans, code/algorithms, or smart contracts as long as those decisions are in strict adherence to the established investment policy"[10]. Pure liquid staking falls outside this definition, but only "if there is no collective management by a third party following a predefined investment policy"[10], a carve-out that evaporates the moment a curator is in the picture.
The second route is MiCAR's portfolio-management service. MiCAR Article 3(1)(25) defines portfolio management of crypto-assets as "managing portfolios in accordance with mandates given by clients on a discretionary client-by-client basis where such portfolios include one or more crypto-assets"[11]. The "client-by-client" wording matters: a true pooled vault is a collective arrangement, which pushes it towards AIFMD; bespoke discretionary management is portfolio management under MiCAR. The two regimes interact through MiCAR Article 60, which lets a MiFID-authorised investment firm, a UCITS management company or an AIFM provide MiCAR-equivalent crypto-asset services through a 40-working-day notification rather than a full CASP authorisation[12]. The CSSF, AFM, FSMA and AMF have all issued 2025 guidance contemplating exactly this route for fund managers offering crypto-asset portfolio services. The route is open, but limited. The FSMA has been clear that an Article 60 notification does not authorise the firm to hold client funds or crypto-assets, which means a vault structure taking custody also needs full CASP authorisation under Article 63[13].
The third issue is the "fully decentralised" exemption, and for most curated vaults it is narrow. MiCAR Recital 22 provides that "where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of this Regulation"[11]. Three points make this exemption difficult for most yield vaults to rely on. There is no statutory definition of "fully decentralised", and ESMA itself has acknowledged that "the exact scope of this exemption remains uncertain". The EBA-ESMA Joint Report of 16 January 2025 holds that the exemption applies only "as long as no individual or entity controls a DeFi protocol or platform and its usage, and no individual fulfils a fundamental and indispensable role in its operation"[14]. And Recital 22 itself states that MiCAR applies "including when part of such activities or services is performed in a decentralised manner". As PwC Legal puts it, "where control or centralisation applies (not necessarily outweighs) then full decentralisation will no longer be deemed to be given and MiCAR may well apply"[15]. A vault with a named curator, an upgrade key, a fee-recipient multisig, a concentrated governance token or a front-end operator will struggle to present itself as fully decentralised in any meaningful sense.
The cumulative effect is that a curated yield vault touching EU users will, on most fact patterns, sit inside MiCAR scope, will plausibly meet the AIFMD definition of an AIF, and will rarely qualify for the Recital 22 carve-out. The conservative working assumption is that regulation applies; the question is which regime applies first and how the issuer wants to structure around it.
Which EU regime applies first? Quick-reference comparison
| Regime | Applies when | Key trigger |
|---|---|---|
| AIFMD (Alternative Investment Fund) | Deposits are pooled, a curator sets a defined investment policy, and depositors have no day-to-day discretion over allocation. | ESMA's 2013 AIFMD Guidelines: four cumulative criteria are met on the facts. |
| MiCAR: portfolio management of crypto-assets (Art. 3(1)(25)) | Crypto-asset portfolios are managed on a discretionary, client-by-client (not pooled) mandate. | Bespoke mandates; Article 60 lets authorised AIFMs/MiFID firms notify rather than seek full CASP status. |
| MiFID II + Prospectus Regulation | The vault share token or a yield-bearing token embeds a cash-settlement claim referencing yield, interest or an index. | ESMA's Dec. 2024 Guidelines reclassify the token as a transferable security; MiCAR Art. 2(4)(a) then disapplies MiCAR. |
| MiCAR Recital 22 "fully decentralised" carve-out | No individual or entity controls the protocol and no one plays an indispensable operational role. | Narrow in practice: a named curator, upgrade key or fee-recipient multisig defeats it. |
When the vault token becomes the regulated instrument
The legal status of a vault is one question. The legal status of the token sitting inside (or coming out of) the vault is another, and it can take the issuer into a different regulatory regime altogether.
A non-yield-bearing crypto-asset that simply happens to be deposited in a vault (say, a stablecoin sent into a curated lending vault) does not change its character because of the deposit. The vault share token, and natively yield-bearing tokens more generally (staked-stablecoin tokens, savings-rate tokens, liquid-staking tokens, lending-market deposit receipts, principal and yield tokens, and so on), are different: the token itself embeds an economic claim linked to yield.
MiFID II Article 4(1)(44) defines transferable securities to include "any other securities giving the right to acquire or sell any such transferable securities or giving rise to a cash settlement determined by reference to transferable securities, currencies, interest rates or yields, commodities or other indices or measures"[16]. A principal token that gives a cash settlement determined by reference to the underlying yield to maturity is a clear fit. ESMA's December 2024 Guidelines apply a substance-over-form test that explicitly contemplates yield-bearing tokens as units in a collective investment undertaking[10].
The consequence is laid out in MiCAR Article 2(4)(a): MiCAR "does not apply to crypto-assets that qualify as financial instruments" under MiFID II. The moment a yield-bearing token crosses into financial-instrument territory, MiCAR ceases to apply. The token falls instead into the much heavier MiFID II framework alongside the Prospectus Regulation, the Market Abuse Regulation and, where the underlying arrangement is collective, AIFMD. ESMA's Guidelines say so explicitly: "where crypto-assets qualify as transferable securities or other types of financial instruments under MiFID II, they are likely to be subject to a comprehensive suite of EU financial regulations"[10].
This is exactly what BaFin did to Ethena in 2025, in what is now the key enforcement template. On 21 March 2025, BaFin issued an immediately enforceable order prohibiting Ethena GmbH from offering USDe to the public in Germany on MiCAR grounds, froze the asset reserves and ordered the company to wind down new business[17]. In the same notice, BaFin took a separate position on the yield-bearing token, stating that there were "reasonable grounds to suspect that Ethena GmbH in Germany sells securities in the form of sUSDe tokens from Ethena OpCo Ltd. without the required prospectus"[17]. On 3 June 2025, BaFin issued a follow-up notice on the BVI parent:
BaFin has sufficient grounds to suspect that Ethena (BVI) Ltd. is offering securities in the form of "sUSDe"-token to the public in Germany without the required prospectus. … Offering securities to the public without an approved prospectus constitutes a violation of the prospectus requirement under Article 3(1) of the EU Prospectus Regulation, unless an exemption applies.[18]
The Verwaltungsgericht Frankfurt confirmed the underlying classification in May 2025, holding that sUSDe meets the characteristics of a security under section 2(1)(1) WpPG read together with Article 2(a) of the Prospectus Regulation[19]. The legal mechanic is striking. BaFin used a MiCAR notification (Ethena had submitted its ART application in July 2024) to start the substance review, then used Article 2(4)(a) MiCAR to push sUSDe out of MiCAR scope and into the Prospectus Regulation. The MiCAR filing was the trigger; the Prospectus Regulation became the operative enforcement route.
What this means for MiCAR whitepapers and token classification
The same substance-over-form logic applies here. A MiCAR Article 6 notification for a yield-bearing token gives the receiving NCA the opportunity to decide on substance review that the token is a transferable security or a unit in a collective investment undertaking under ESMA's December 2024 Guidelines, to invoke Article 2(4)(a) to push it out of MiCAR scope, and to impose immediately enforceable supervisory measures including asset freezes, public-offer bans and coercive fines. By contrast, not notifying a token that should be notified is itself a MiCAR breach. The decision is therefore not whether to engage with the regime but how.
This makes whitepaper drafting a classification exercise, not just a disclosure exercise. First, MiCAR requires the issuer to analyse the legal status of their token before the whitepaper is submitted. A substance-over-form review under ESMA's Guidelines (covering the redemption mechanic, the source of the yield, the discretion exercised over deployed capital, and the fungibility of the token) is what an NCA will run on receipt of the notification. Doing the analysis first surfaces the issues while there is still time to restructure.
Second, the description of the token's economic mechanics has to be precise about what the token gives, and does not give, to the holder. Imprecise language about "yield generation," "share of returns" or "redemption value" maps cleanly onto financial-instrument definitions; a vague disclosure invites the NCA to do the characterisation work itself.
Third, the relationship between the token and any underlying vault, strategy or curator should be drafted with care. Under item F.11 of Annex I MiCAR, the issuer has to disclose the services provided in connection with the crypto-asset, and a description that resembles discretionary portfolio management or collective investment management can give the NCA a clean basis to refer the matter to the AIFMD or MiFID supervisor.
Fourth, the decentralisation analysis, for both the protocol and the issuer, should be documented in writing, mapping each MiCAR-relevant function (custody, exchange, portfolio management, transfer) against any identifiable person or entity. If the answer is that there is none, that needs to be defensible against the EBA-ESMA spectrum-of-decentralisation framework[14]. If there is, Recital 22 should be set aside and the issuer should plan for MiCAR scope.
Fifth, where the analysis points towards portfolio management or AIF activity, the cleaner route may be a notified crypto-asset portfolio-management service under MiCAR, provided by an existing AIFM or UCITS manager where available, paired with a separately authorised CASP custodian where custody is involved. That means more administrative work upfront, but less existential risk later. Where a Singapore listing is also in view, a Singapore legal opinion on token classification runs the same substance analysis for the APAC side of a launch.
Conclusion
The Commission's mandatory Article 142 review of DeFi was due on 30 December 2024 and has not been published. Until it is (and probably for a year or two beyond it), the existing MiCAR, MiFID II and AIFMD perimeter is the regulatory toolkit. Within that perimeter, the supervisory direction of travel is clear. The EBA-ESMA Joint Report describes DeFi as a "niche phenomenon" representing 4% of crypto market value globally[14], which is supervisor-speak for "we will use existing tools, not write a new regime." BaFin has shown what those existing tools look like applied to a yield-bearing token. Other NCAs are watching.
The Stream Finance collapse made the same point from the other direction. A vault is not, in itself, a fund or a security. But a vault with a curator setting policy, allocating to off-chain managers, and issuing a redeemable share token is, in substance, the kind of arrangement EU law has been regulating for fifty years. The regulatory question is no longer whether MiCAR, MiFID II or AIFMD will reach DeFi yield products. It is which one reaches first, and how much of the answer the issuer can still shape through careful structuring and drafting before filing.
If you are building or operating a yield vault or yield-bearing token and considering European users, the regulatory analysis should come before the whitepaper is filed. We can help you work through the classification, structuring and drafting that goes with it. Our team has direct experience with MiCAR notification preparation and with assessing the regulatory risk profile of novel platform structures across multiple EU jurisdictions. Reach out to discuss your situation.
Frequently asked questions
Is a DeFi yield vault a regulated fund under EU law?
Often, yes. If deposits are pooled, a curator sets and rebalances a defined investment strategy, and depositors hold a pro-rata share token with no day-to-day control, the vault can meet ESMA's four-part test for an Alternative Investment Fund under AIFMD, regardless of whether the logic runs in a smart contract or off-chain.
Does MiCAR cover yield-bearing tokens?
Not once a token qualifies as a financial instrument. MiCAR Article 2(4)(a) disapplies MiCAR the moment a token is reclassified as a transferable security or a unit in a collective investment undertaking, moving it into MiFID II, the Prospectus Regulation and, where relevant, AIFMD instead.
What did BaFin decide about Ethena's sUSDe?
In March and June 2025, BaFin used a MiCAR notification review to conclude there were grounds to treat sUSDe as an unregistered security, froze Ethena GmbH's asset reserves and pursued prospectus-liability action, a template other EU regulators are now watching.
Can a DeFi yield vault rely on MiCAR's "fully decentralised" exemption?
Rarely, in practice. The EBA-ESMA Joint Report limits the Recital 22 carve-out to protocols with no controlling individual or entity and no indispensable operational role. A named curator, an upgrade key or a fee-recipient multisig is usually enough to defeat the exemption.
What should issuers do before filing a MiCAR whitepaper for a yield-bearing token?
Run a substance-over-form classification first, covering the redemption mechanic, the source of yield, who exercises discretion, and the token's fungibility, so that any AIFMD, MiFID II or Prospectus Regulation exposure is identified and addressed before, not after, the notification is filed.
References
- 1. Morpho Vaults V2: A new standard for asset curation
- 2. Aave 2025 Year in Review
- 3. Stream Fund Discloses $93M Loss, Temporarily Halts Operations, Crypto Times
- 4. Anatomy of a $285M DeFi Contagion: The Stream Finance xUSD Collapse, BlockEden
- 5. Morpho Protocol Explained 2026
- 6. Pendle Built A Yield Curve The Market Hasn't Priced, Crypto News Navigator
- 7. sUSDS: Access the Sky Savings Rate on USDS
- 8. Elixir's deUSD drops 98%: What's happening?, Cryptopolitan
- 9. ESMA Guidelines on key concepts of the AIFMD (ESMA/2013/611)
- 10. ESMA Guidelines on the qualification of crypto-assets as financial instruments (ESMA75-453128700-1323, December 2024)
- 11. Regulation (EU) 2023/1114 on markets in crypto-assets (MiCAR), Articles 3, 60 and Recital 22
- 12. MiCA Regulation: White & Case overview of Article 60
- 13. FSMA: Crypto Asset Service Provider (CASP)
- 14. EBA-ESMA Joint Report on Recent Developments in Crypto-Assets (Article 142 MiCAR), 16 January 2025
- 15. "Fully" decentralised DeFi under MiCAR, PwC Legal
- 16. Directive 2014/65/EU (MiFID II), Article 4(1)(44): definition of transferable securities
- 17. BaFin, Ethena GmbH: BaFin prohibits new business with USDe token, 21 March 2025
- 18. BaFin, Ethena (BVI) Ltd.: Grounds to suspect securities of Ethena OpCo Ltd. are being offered to the public without the required prospectus, 3 June 2025
- 19. VG Frankfurt, Germany's first MiCAR decision (Ref. 7 L 1257/25, 2 May 2025), Bird & Bird analysis
