Why BlackRock BUIDL Scores Lower Than You'd Expect

The BlackRock name carries the weight of $10 trillion in assets under management. Securitize runs the tokenization infrastructure. BNY Mellon handles custody. So why does our Onyx Score rate BUIDL at just 773 out of 1,000 — a BBB grade?

The answer reveals something important about how investors should think about risk in tokenized assets. Brand reputation and on-chain security are two different things, and conflating them is a mistake the market is making at scale.

What the Onyx Score Measures

The Onyx Risk Score evaluates tokenized assets across six independent pillars, each weighted according to its impact on investor risk. Every pillar contributes a portion of the total 1,000-point scale:

• Credit Risk — quality of the underlying collateral and issuer creditworthiness
• Smart Contract Risk — security audits, code quality, upgrade mechanisms, and on-chain verification
• Custody Risk — who holds the assets, segregation, insurance, and operational controls
• Oracle Risk — how pricing and NAV data reaches the blockchain
• Liquidity Risk — redemption windows, secondary market depth, and concentration
• Regulatory Risk — legal structure, investor protections, and jurisdictional compliance

This framework matters because traditional due diligence focuses heavily on the first pillar — credit quality. For a BlackRock fund backed by U.S. Treasuries, credit risk is nearly perfect. But tokenized assets introduce five additional risk vectors that don't exist in traditional finance, and that's where the story gets interesting.

BUIDL's Onyx Score: 773/1000 (BBB)

Here is how BUIDL performs across each pillar in our analysis:

The credit pillar performs exactly as you'd expect. U.S. Treasury bills are the global risk-free benchmark, and BlackRock's fund management track record is unimpeachable. Custody through BNY Mellon — one of the oldest and most regulated custodians in the world — is rock solid.

But one pillar drags the entire score down significantly.

The Smart Contract Problem: 85 out of 200

BUIDL scores 85 out of a possible 200 on smart contract risk. This is the single largest deficit in its Onyx Score and the primary reason a BlackRock product earns a BBB rather than an A or AA rating.

Here's why.

No publicly available smart contract audit. As of this writing, BlackRock and Securitize have not published a third-party security audit of the BUIDL smart contracts. For a fund holding $2.5 billion in investor capital on-chain, this is a significant gap. Every major DeFi protocol publishes its audit reports. Many tokenized competitors do the same. BUIDL does not.

Permissioned contract architecture. BUIDL operates through a permissioned token system managed by Securitize. While this provides compliance benefits (KYC/AML enforcement), it also means the contract's admin keys carry considerable power. The ability to freeze, burn, or modify token balances is controlled by a centralized entity. This is standard for regulated tokenized products — but it still represents a real risk vector that must be scored.

Multi-chain deployment without public verification. BUIDL has expanded aggressively across eight blockchains: Ethereum, Solana, BNB Chain, Aptos, Avalanche, Arbitrum, Optimism, and Polygon. Each deployment represents a separate smart contract surface. More chains means more potential attack vectors, and the security posture of each deployment is not independently verified through public documentation.

No formal bug bounty program. Leading DeFi protocols and competing tokenized products maintain active bug bounty programs that incentivize white-hat security researchers to find vulnerabilities before exploits occur. BUIDL has no public bug bounty.

“Trust BlackRock” Is Not a Security Audit

The most common counterargument is simple: It's BlackRock. They don't cut corners on security. That may well be true. BlackRock almost certainly conducts internal security reviews and may have commissioned private audits that are not publicly disclosed.

But the Onyx Score methodology is based on what is verifiable, not what is assumed. This is a deliberate design choice. In traditional finance, investors can review a fund's prospectus, auditor reports, and regulatory filings. These documents exist precisely because “trust us” is not sufficient for institutional capital allocation.

The same standard should apply to on-chain infrastructure. If the smart contracts governing $2.5 billion in tokenized Treasuries have been audited, investors deserve to see the reports. If they haven't been audited by an independent third party, that's a material risk factor regardless of who the issuer is.

How BUIDL Compares to Its Competitors

This gap becomes clearer when you compare BUIDL to other tokenized treasury products. Ondo also offers USDY, which scores 930/1000 — the highest-rated yield-bearing asset in our system.

Ondo's OUSG scores 175 out of 200 on smart contract risk. Ondo has published multiple audit reports from reputable firms, maintains a transparent documentation site, and has undergone repeated security reviews as it expanded across chains. Its token contract architecture is well-documented.

Franklin Templeton's BENJI takes a different approach. As the only SEC-registered tokenized fund (under the Investment Company Act of 1940), BENJI operates under a regulatory framework that mandates specific operational controls, reporting requirements, and investor protections. This regulatory oversight provides an alternative form of smart contract governance, even though Franklin's public audit documentation is more limited than Ondo's.

BUIDL has neither the published audits of OUSG nor the regulatory registration of BENJI. It relies entirely on BlackRock's institutional reputation and Securitize's internal security practices.

The Structural Issue: BVI Jurisdiction

The smart contract gap is compounded by BUIDL's legal structure. The fund is domiciled in the British Virgin Islands through a special purpose vehicle. While BVI structures are common in finance and offer legitimate operational advantages, they provide less investor protection than U.S.-registered alternatives.

Ondo's OUSG operates as a U.S. limited partnership. Franklin's BENJI is registered with the SEC under the 1940 Act. Both structures give investors stronger legal recourse if something goes wrong.

This jurisdictional difference doesn't directly affect the smart contract pillar, but it amplifies the overall risk profile. When both the code security and the legal structure have gaps, the combined effect on the Onyx Score is significant.

What Would Improve BUIDL's Score?

The path to a higher Onyx Score for BUIDL is straightforward. None of these changes require fundamental restructuring:

Publish third-party audit reports. A comprehensive audit from a firm like Trail of Bits, OpenZeppelin, or Halborn — covering all chain deployments — would likely push the smart contract pillar from 85 to 150 or above. This single action could lift the overall Onyx Score by 60–70 points, potentially moving BUIDL from BBB to A territory.

Launch a bug bounty program. Even a modest program through Immunefi or HackerOne would add 10–15 points to the smart contract pillar and signal a commitment to ongoing security.

Publish Securitize admin key management documentation. Clarity on multi-sig configurations, timelock mechanisms, and admin privilege boundaries would address the centralization concerns inherent in permissioned token architectures.

Document cross-chain bridge security. As BUIDL operates across eight chains, publishing details on how cross-chain transfers are secured and validated would provide material comfort on multi-chain risk.

The Bottom Line

BlackRock BUIDL is not a bad investment. The underlying assets are U.S. Treasuries managed by the world's largest asset manager, held in custody by one of the world's oldest banks. The credit quality is impeccable.

But tokenized assets are more than their underlying collateral. They are smart contracts deployed on public blockchains, and the security of those contracts matters. When $2.5 billion sits in code that hasn't been publicly audited, that's a risk factor — regardless of whose name is on the door.

The Onyx Score at 773 reflects this reality. BUIDL excels on credit, custody, and operational infrastructure. It falls short on the on-chain security transparency that investors in tokenized assets should demand.

If BlackRock published its audit reports tomorrow, BUIDL's score would likely jump significantly. Until then, the BBB rating stands as an honest assessment of what can be verified, not what can be assumed.