Litepaper

RIZK Protocol

Programmable Capital for a Risky World

Section OneIntroduction: A New Risk Infrastructure

Three forces are converging at once. Each is significant on its own. Together, they point to a structural shift in how the world transfers risk.

First, global risk is accelerating and compounding faster than the institutions built to absorb it.

Second, capital markets are absorbing more of that risk through insurance-linked instruments. But these markets remain constrained by slow, fragmented infrastructure.

Third, programmable capital has emerged. Blockchains, stablecoins, tokenized assets, and Decentralized Finance (DeFi) have made capital global, liquid, and composable by default.

These forces are no longer independent. They point to a single conclusion. Risk transfer, the mechanism by which the world protects itself against catastrophe, is ready for new infrastructure.

1.1A World That Is Getting Riskier

We are living through a polycrisis. Geopolitical tension, climate events, cyber threats, and economic instability are not increasing in isolation. They are interacting and amplifying one another.

The WEF describes a geopolitical recession deepening since 2014[1]; Eurasia Group calls 2026 "a tipping point year"[2]; and a survey of 860 risk decision-makers across 94 countries flags the same interlocking cluster—geopolitical tensions, cybercrime, instability, regulatory uncertainty, and extreme weather[3].

Natural catastrophe losses show the trend most clearly. Insured losses have grown 5–7 percent annually in real terms for three decades and have exceeded $100 billion for six consecutive years[4]. Even in 2025, when the insured share hit 49 percent—the highest in over 50 years—more than $100 billion in economic losses went uncovered[5]. Swiss Re is now modelling a $320 billion peak-loss scenario for 2026[4].

Natural catastrophe losses — 10-yr averages and peak-peril scenario $0 $111B $267B $320B Insured Uncovered Tail 10-yr avg insured loss Swiss Re sigma, 2015–2024 10-yr avg uncovered loss Swiss Re sigma, 2015–2024 Peak-peril extension Swiss Re modeled scenario 10-yr averages (2015–2024, Swiss Re sigma): $267B economic, $111B insured. Peak-peril scenario: $320B.
Fig. 1Insured capacity vs. economic loss — 10-year averages and peak-peril scenario

Cyber incidents—now intensifying with AI—are the top global corporate risk[6]. Yet cyber insurance remains underpenetrated, comprising less than 1% of the global market[7]. Coverage is limited: 47% of large organizations have policies, compared to just 10% of SMEs[8], leaving most exposure uninsured on corporate balance sheets[7,9].

Faced with rising risk, the industry is retreating, not expanding. Insurers and reinsurers are cutting cover and raising prices rather than deploying more capacity[10].

The result is a paradox: record industry capital, shrinking available coverage, rising cost to buyers. The gap isn't a capital shortage—it's a risk-transfer failure.

1.2The Rise of Alternative Capital

Where traditional capacity retreats, alternative capital have stepped in.

Insurance-linked securities (ILS)—financial instruments that transfer risk to the capital market—have surged. For the category's flagship product, the catastrophe bond (cat bond), 2025 was a record year: $25.6 billion in new issuance, up 45% year-on-year, and the first time annual volumes ever crossed $20 billion[11]. Total alternative capital grew 18% to $136 billion, becoming the primary driver of growth in global reinsurance capital, which itself reached a record $785 billion[12].

The market is broadening on every axis.

On the investor side, pension funds, sovereign wealth funds, endowments, and dedicated ILS managers now treat cat bonds as a core allocation. Returns are equity-like, volatility is bond-like, and correlation to traditional markets is near zero. UCITS cat bond funds alone added $5.3 billion in 2025 to reach $19 billion in AUM, signalling growing mainstream access and demand for the asset class[13].

On the risk sponsor side, re/insurers still dominate, but the base is expanding to include governments, sovereign risk pools, and corporates transferring risk directly to capital markets. Fifteen new sponsors entered the market in 2025—the broadest expansion of the issuer base on record[11].

On the product side, cat bonds now cover cyber (including a record $300 million Beazley deal), wildfire, terrorism, cloud outage, and mortgage default—perils well beyond their hurricane and earthquake origins.

And yet, the market is still far too small for the task.

Greg Case, CEO of Aon, one of the world's largest re/insurance brokers, has outlined the challenge in direct terms: "If we don't bring in a trillion dollars in alternative capital in the next decade, we've failed"[14]. His framing: the global insurance industry is $4 trillion; the capital pool around it is $250 trillion—more than 60 times its size. Insurance has been the primary conduit between risk and capital, but risk is outgrowing it. The constraint isn't capital—it's the channel.

The scale mismatch Global capital pool $250T Equities, debt, pensions, sovereign reserves. The capital exists. Global insurance pool $4T Annual premium. Price tag on hundreds of trillions in coverage. A fraction of addressable risk — §1.1 Alternative capital today $136B Cat bonds, collateralized reinsurance, sidecars. +18% YoY. 3.4% of the insurance pool Aon target — 2035 $136B today $1T target (7.4×) $4T insurance pool $4T of annual premium backs hundreds of trillions in coverage; alt capital supplies $136B. The bottleneck is the mechanism, not the money.
Fig. 2Capital, insurance pool, and alternative capital

Those mechanisms are still creaking. Structuring a single cat bond costs $500,000 or more and takes up to six months[15]. Minimum tickets start at $250,000. Secondary markets are opaque, over-the-counter, and manual. Capital, once committed, is effectively locked for the bond's multi-year term. These are not features of risk transfer logic. They are artifacts of the legacy infrastructure that delivers it.

"If we don't bring in a trillion dollars in alternative capital in the next decade, we've failed."
Greg Case, CEO of Aon

1.3The Programmable Capital Stack

A parallel revolution in financial infrastructure has been building for over a decade, and has now reached a level of maturity that makes it directly relevant to the $4 trillion global risk pool.

Start with money itself. For centuries, value moved through banks—slow, jurisdictionally bound, intermediated at every step. Fintech accelerated parts of the stack but left the underlying rails intact. Cryptocurrencies and blockchains introduced a different model: value moving peer-to-peer over programmable networks in real time.

Stablecoins were the first blockchain application to reach scale—tokenized representations of fiat currency, now carrying a market cap of $317 billion and settling $33 trillion in transaction volume in 2025, up 72 percent year-on-year and rivalling Visa and Mastercard combined[16]. Business-to-business stablecoin payments alone grew from under $100 million per month in early 2023 to over $6 billion per month by mid-2025[17].

Regulation has converged. Japan, Singapore, the EU, Hong Kong, the UAE, and the US now have stablecoin frameworks in force, with the UK finalizing rules in 2026[18,19]. Different jurisdictions, converging standards, a testimony that stablecoins are being absorbed into the regulated financial system.

The institutional commitment is structural. Visa's stablecoin settlement reached a $4.5 billion annualized run rate by January 2026[17]. Stripe is building Tempo, a purpose-built blockchain for payments[20]. JPMorgan—whose CEO Jamie Dimon was once among the industry's most prominent crypto skeptics—committed in its 2025 shareholder letter to rolling out its own blockchain infrastructure[21]. And the next wave is visible: AI agents transacting at machine speed need money that is programmable and always-on—making stablecoins the natural settlement layer for agentic commerce.

Tokenization of real-world assets is on the same trajectory. Tokenized off-chain instruments—Treasuries, private credit, trade documentation—have grown nearly fivefold in three years to over $30 billion[22], led by BlackRock, Goldman Sachs, Franklin Templeton, and JPMorgan[23]. Standard Chartered projects the tokenized asset market could reach $30 trillion by 2034[24].

Decentralized Finance (DeFi) is what makes these building blocks more than just digital. Open, programmable protocols on public blockchains turn capital into something composable, liquid, and interoperable by default. Capital in DeFi is not merely digital; it is programmable—it can be lent, staked, wrapped, and posted as collateral in a single transaction, with no intermediary approving any step. The primitives are mature, liquid, and increasingly institutional—and the same architecture is already pricing real-world events at scale, with onchain prediction markets like Polymarket processing over $21 billion in notional volume in 2025[25].

The building blocks for programmable, global, always-on financial infrastructure are no longer theoretical. They are deployed, liquid, regulated, and institutional. What is missing is their application to risk transfer.

1.4The Convergence and the Opportunity

Three forces have converged: risk is outpacing traditional capacity, alternative capital is surging into the gap but remains throttled by legacy infrastructure, and programmable capital has crossed the threshold from experimental to institutional.

01 Rising Risk A polycrisis that outpaces capacity. $100B+ annual gap 02 Alternative Capital Capital markets absorbing more risk. $136B · growing 18% 03 Programmable Capital Value moving over programmable rails. $33T settled in 2025 A new risk-transfer infrastructure
Fig. 3The convergence

What's missing is infrastructure purpose-built for risk transfer—programmable, composable, and interoperable with onchain capital by default. Infrastructure that takes the proven economic logic of catastrophe bonds, collateralized reinsurance, and sidecars and expresses it in a form that is natively digital: automated in execution, transparent in state, and open to any qualified participant.

RIZK is that infrastructure.

Section TwoInstruments of Risk Transfer

Before describing what RIZK builds, it helps to understand what already exists—and to see that three different-looking instruments are actually the same structure in different configurations.

2.1One Structure, Three Configurations

Every ILS instrument follows the same basic logic. A party wants to transfer a defined risk. Capital is posted into a ring-fenced structure as collateral. Premium flows from the risk holder to the capital provider for the coverage term. If a defined event occurs, collateral pays the claim. If it does not, capital is returned with accumulated premium. The return to capital is uncorrelated with traditional markets because it is driven by real-world events—hurricanes, earthquakes, cyber breaches—not equity or credit cycles.

What varies is the configuration.

A Catastrophe Bond B Coll. Reinsurance C Sidecar Risk side Sponsor Cedent Re/insurer SPV SPV SPV Capital side Many investors ILS fund Anchor LP + co-investors Public issuance, fractionalized widely. Bilateral private contract. Sponsor retains skin in the game.
Fig. 4One structure, three configurations

Catastrophe bonds are the public-markets form. A sponsor—typically an insurer, reinsurer, sovereign, or large corporation—issues notes through a special purpose vehicle. Investors purchase the notes, proceeds sit in a collateral trust, and the notes trade in a regulated secondary market. Cat bonds scale well because they reach many investors, but they are expensive to structure and slow to issue.

Collateralized reinsurance is the bilateral form. A single capital provider (usually an ILS fund) posts collateral to back a specific reinsurance contract with a cedent. There is no public offering, no notes, no rated tranches. It is faster and cheaper to execute than a cat bond and is the natural starting point for smaller deals, new risk classes, or counterparty relationships still being established.

Sidecars are the co-investment form. A re/insurer establishes a vehicle that lets third-party investors participate alongside it on a specific book of business, sharing proportionally in premiums and losses. The sponsor retains skin in the game; investors gain access to underwriting portfolios they could not reach alone.

The mechanics are not meaningfully different across the three. The same premium-for-collateral-for-trigger structure appears in each, with the degree of standardization, the breadth of participation, and the sponsor-investor alignment varying by configuration.

2.2Trigger Design

The rule that determines whether a payout occurs—the trigger—is the most consequential design choice in any ILS instrument. Four types dominate: indemnity (based on the sponsor's actual incurred losses), industry loss index (based on total industry losses reported by an independent agency), modelled loss (based on a catastrophe model's estimated loss), and parametric (based on a physical measurement such as wind speed, earthquake magnitude, or vessel transit counts).

Trigger types Indemnity Industry Loss Modelled Parametric Measures Actual losses Industry index Model output Physical measure Basis risk Low Matches actual loss Moderate Industry index as proxy Mod-high Model output as proxy Higher Payout tracks hazard, not loss Moral hazard High Sponsor controls loss reporting Low Sponsor cannot move industry data Low Third-party model, sponsor cannot alter Negligible No human judgment in the payout Pricing friction High Hidden tail in sponsor's book Medium Standardized industry data Low-medium Model output is the pricing input Low Direct hazard measure Disclosure burden High Exposes proprietary loss book Low No sponsor-specific data shared Medium Exposure data fed into model None No sponsor-side data required Lower basis risk costs moral hazard, disclosure burden, and pricing friction.
Fig. 5Trigger types — trade-offs

The trade-off is sharp. Indemnity triggers match the sponsor's actual loss most closely but introduce moral hazard, require disclosure of proprietary loss data, and take weeks or months to resolve. Parametric triggers are fast, transparent, and dispute-free, but may not perfectly match the sponsor's actual exposure—a gap known as basis risk. Parametric is the trigger type best suited to programmable execution: the measurement is objective, the payout is deterministic, and settlement can happen the moment the data arrives.

Section ThreeRIZK Protocol

RIZK is an onchain protocol for risk transfer. It connects risk holders—insurers, reinsurers, corporates, sovereigns—with capital providers through programmable, transparent, and automated vaults.

At the core is a single shared architecture: two linked vaults that together function as an onchain special purpose vehicle. Every ILS instrument described in Section 2—catastrophe bonds, collateralized reinsurance, sidecars—is issued, held, and traded on RIZK through this architecture. The three are not separate products in RIZK. They are configurations of the same two-vault structure.

A cat bond structured through RIZK uses the same economic logic as a traditional one—but on RIZK, the instrument is no longer static. Coverage, premium, and capital are all composable building blocks that can be split, combined, transferred, and used as collateral elsewhere in the system.

The sections that follow describe the architecture. For readers new to DeFi, the next section introduces vaults—the foundational primitive on which RIZK is built.

3.1A Short Primer on Vaults

The vault is one of the foundational primitives of DeFi: a smart contract that accepts deposits, issues shares, and executes a defined strategy on behalf of depositors.

Early vaults proved that capital management could be executed securely without human intermediation, but they were structurally fragmented. Every protocol built a custom interface, making broad integration difficult. This bottleneck was resolved in 2022 with the finalization of the ERC-4626 Tokenized Vault Standard[26]. By defining a universal, interoperable interface for how vaults handle deposits, withdrawals, and share accounting, ERC-4626 transformed vaults from fragmented tools into unified, institutional-grade infrastructure. Extensions built on top of ERC-4626 have since broadened its reach: ERC-7540 adds asynchronous deposit and redemption flows for assets that do not settle atomically[40], and ERC-7575 extends the interface to support vaults that accept multiple assets against a single share token[41].

Anatomy of a production vault Access control Asset owners, behind a timelock. Governance Emergency Pause deposits, halt operations, circuit breakers. Safety Users Asset Share Vault contract Treasury & ledger Holds assets, mints shares, tracks NAV. ERC-4626 interface deposit · withdraw · redeem Capital Yield Strategy contract Capital engine Deploys, harvests, compounds. Upgradable independently Yield source Lending platforms Tokenized MM funds Staking, DEX LP Orchestration Scheduled execution of harvests and rebalances. Automation Oracles Price feeds that anchor valuation and trades. Data Composable, auditable, standardized. One role, one flow — everything RIZK builds starts here.
Fig. 6Anatomy of an ERC-4626 vault

DeFi's Total Value Locked (TVL) exceeds $100 billion across all chains[27]. While over $15 billion sits in natively ERC-4626 vaults[27], the standard's impact is structural rather than just native. The largest legacy protocols holding the bulk of that $100 billion TVL are increasingly adding ERC-4626 wrapper layers to plug into this composable infrastructure, making the standard the de facto interface through which capital enters onchain yield.

This standardization has facilitated direct institutional adoption: Kraken routes exchange deposits into onchain lending vaults[28], Apollo Global Management commits capital to vault strategies[29], and BlackRock's BUIDL tokenized liquidity fund operates natively within this composable ecosystem[30].

Vaults have proven they can custody capital, execute strategies, and issue transferable shares securely at scale. However, almost every vault deployed to date is designed for a single purpose: one-sided yield optimization, where capital enters, earns a return, and exits. RIZK takes this one-sided yield infrastructure and couples it with oracle-gated logic to create a two-sided risk market.

3.2The Two-Sided Vault

Functionally, a RIZK vault operates as the onchain equivalent of a special purpose vehicle (SPV): an isolated structure that holds capital, enforces terms, and executes payments automatically.

Where a traditional yield vault acts as an investment vehicle, a RIZK vault is two-sided. It binds two counterparty roles—one providing something, one receiving something—and mediates the flow between them onchain.

A coverage is two linked vaults Access control Emergency Cedent Risk side Premium Risk transfer contract Protection Premium commitment TOKENS Protection token Debtor position Investor Capital side Collateral Yield Collateral TOKENS Collateral position Claim position Coverage Premium-yield vault Streaming premium accounting Pass-through escrow Debtor position · Claim position State Protection-collateral vault Payout escrow & yield engine Collateral earns base yield during term Protection token · Collateral position Oracle Orchestration Strategy Yield source Lending platforms Tokenized MM funds Staking, DEX LP Primarily for protection-collateral; may extend to premium-yield. Four positions. Two linked vaults. One coverage. Same counterparty pair, same coverage term — tokens transferable independently during the term.
Fig. 7A coverage is two linked vaults

A coverage is two linked vaults. A RIZK coverage is not a single vault but two linked two-sided vaults operating in parallel:

Four positions total—two per vault—each a first-class onchain token. Positions in the two vaults are independent: a capital provider can hold the collateral position in one vault and separately transfer the claim position in the other.

All four positions expose four properties that are not available in traditional ILS:

TransferA position moves to a new holder at any point in the coverage term. Transfer novates the position onchain: the vault enforces the same terms against the new holder, with no bilateral renegotiation or off-chain documentation.
FractionalizationA position splits into smaller tokens, each representing a proportional share of the underlying claim. Fractionalization collapses the $250,000 minimum cat bond ticket: a $10 million vault can issue $10,000 or $1,000 positions. A corporation with $50 million of earthquake protection allocates fractions across subsidiaries by exposure; two airlines at a shared hub hold fractions of a single volcanic ash protection token.
CompositionSeparate positions bundle into composites. A wind, flood, and earthquake token for the same region assemble into a single multi-peril position covering all three. Composite instruments are built bottom-up from modular components, not defined top-down as monolithic products.
External CollateralA position represents an economic claim and is pledgeable as collateral in external arrangements. A cargo operator pledges a parametric delay protection token to secure a trade finance facility; a capital provider pledges a claim position in a DeFi lending market.

These four properties, operating together onchain, enable a secondary market that does not meaningfully exist for these instruments today. Traditional ILS secondary trading is thin, broker-mediated, and slow: cat bond positions change hands through off-chain negotiation and manual documentation, and collateralized reinsurance positions rarely trade at all. Onchain tokenization turns the same positions into instruments that can be transferred, sold, or used as collateral directly between holders, without intermediaries, with near-instant settlement.

These same properties also make the vault architecture instrument-agnostic. The same two-vault structure can be configured as collateralized reinsurance, as a catastrophe bond, or as a sidecar — each of the three instruments described in Section 2 is a configuration of the same base primitive. Once a coverage is configured, distribution can still shift through the term as positions are transferred or fractionalized: a coverage issued as a bilateral deal can end up economically resembling a cat bond by maturity, even though its legal classification — set at issuance — does not change with it. The architecture is flexible to the market situation in a way that traditional ILS infrastructure is not, where each instrument is a separate product with its own placement and documentation cycle.

T0 Bilateral T1 Growing T2 Cat-bond-like Risk Vault Vault Vault Capital One provider, full ticket. Fractions trade to more investors. Broad base, small tickets.
Fig. 8Distribution shape over a coverage term

3.3The Protection-Collateral Vault

The protection-collateral vault holds the payout flow. The protection token on the risk side and the collateral position on the capital side are two views of the same locked capital.

The protection token encodes the parametric terms of the coverage—trigger condition, payout structure, coverage tenor, and coverage limit—as onchain state. Whether a payout is due is determined by the vault's trigger evaluation against data supplied by the oracle framework (Section 3.5).

The collateral position represents the capital side's locked principal. The underlying collateral is locked in the vault for the coverage term and cannot be withdrawn during the term; the collateral position token, however, is freely transferable on secondary markets, subject to the vault's compliance rules (Section 3.6).

Unlike the debtor and claim tokens in the premium-yield vault (Section 3.4), which mirror each other continuously, the protection token and collateral position are asymmetric: one represents a contingent right to payout, the other a locked pool of principal. They are resolved by a single event — the trigger, evaluated against data supplied by the oracle framework (Section 3.5). If the trigger fires, collateral flows to the protection token holder and the position is extinguished; if the term ends without a trigger, the collateral returns to the capital provider.

The vault's state also depends on premium being paid. The premium-yield vault (Section 3.4) monitors premium payment against the agreed schedule and signals the protection-collateral vault if payment is missed. In that case coverage is impaired — depending on configuration, the vault may suspend protection, release locked collateral to the capital provider, or, as an option, apply a forfeit against a deposit posted by the cedent at inception.

Example entry routes Vault Transformation Source Protection- collateral vault Asset-agnostic 1 Direct stablecoin Investor holds digital dollars and funds the vault directly. USDC / USDe 2 Crypto transformer Crypto is converted to stablecoin through yield-earning protocols, stacking base yield. ETH via Lido stETH via Ethena USDe 3 Native crypto match The vault holds the same asset the coverage pays out in. ETH / BTC 4 Tokenized RWA Tokenized Treasuries, money-market funds, or credit post directly as collateral. BUIDL / BENJI 5 Exotics / LP tokens Existing yield-bearing positions serve as collateral without liquidating the underlying. aTokens · Curve LP · Pendle PT/YT Illustrative routes. The vault is asset-agnostic; additional paths can be added without changing the protocol.
Fig. 9Entry routes into the Protection-Collateral vault

Entry routes. Capital enters the vault through one of three paths. Direct deposit: stablecoins or matched-denomination crypto (USDC, USDe, ETH, BTC) deposit as-is. Transformer routes: a base asset is converted into the required collateral denomination while generating yield along the way. Yield-bearing deposits: tokenized RWAs (BUIDL, BENJI) or existing DeFi positions (lending receipts, LP tokens) post as collateral without liquidation.

Strategies for locked collateral. In a traditional cat bond, locked collateral earns the risk-free rate by sitting in a trust invested in Treasuries or money market funds. RIZK does the equivalent onchain: each vault runs a strategy contract that deploys the locked collateral to an external yield source for the duration of the coverage term. The strategy is configured per vault at inception — common options include staking (stETH via Lido), lending (USDC in Aave), tokenized Treasuries (BUIDL), or liquidity provision (Curve LP). Strategies must preserve the vault’s ability to honor a payout at trigger: positions must be unwindable on short notice, and liquidity constraints are enforced by the strategy contract itself.

3.4The Premium-Yield Vault

The premium-yield vault holds the premium flow. It is a two-sided ledger initialized at inception with the full premium due for the coverage term. One side tracks outstanding debt; the other tracks the corresponding claim. The two are equal and opposite by construction.

The debtor position represents the obligation to pay premium. The claim position represents the right to receive premium as it accrues. The two positions are independent: a capital provider can transfer the claim position to a secondary buyer while retaining their collateral exposure, or vice versa.

Both positions are onchain tokens, and unlike the protection token and collateral position in the protection-collateral vault (Section 3.3) — which are asymmetric and resolved by a trigger event — the debtor position and claim position are symmetric mirrors of each other at all times. The mechanics are similar in design to onchain streaming primitives like Superfluid: a single premium stream is tokenized simultaneously as an outflow on the payer's side and an inflow on the receiver's side, with the two sides staying equal and opposite in real time as payment accrues.

The vault monitors whether premium is being paid on the agreed schedule. If premium is missed, it signals the protection-collateral vault (Section 3.3), which impairs the coverage as described in that section.

Payment logic is programmable: the vault can encode who may pay premium (e.g., a cedent's treasury, a specific financier, a donor whitelist), how payments are sequenced against debt, and what happens if payment is missed — all enforced onchain rather than through paper contracts and manual reconciliation.

The financing and sponsorship routes in particular enable patterns that are not easily achievable in traditional ILS.

Example premium routes Payer Mechanism Vault Premium- yield vault Source-agnostic 1 Direct premium Cedent pays premium from treasury each period. Insurer · Corporate · Sovereign 2 Streaming premium Cedent sets up an onchain stream — premium accrues continuously rather than in lump sums. Sablier · Superfluid 3 Traditional premium financing Financier pays premium; repayment governed off-chain by a Premium Finance Agreement. AFCO-style PFA 4 Protection-collateralized financing Financier pays premium and holds the cedent's protection token as onchain collateral. Onchain-native 5 Sponsored premium Donors or parents fund coverage for a beneficiary, collapsing the intermediary stack. USAID · World Bank · ARC · CCRIF · WFP R4 Illustrative routes. The vault is payer-agnostic; additional paths can be added without changing the protocol.
Fig. 10Entry routes into the Premium-Yield vault

The first two routes — direct premium payment and streaming premium — map familiar mechanisms onto onchain rails. A cedent paying premium from treasury each period works the same as any commercial insurance policy. Streaming changes the timing: premium accrues continuously rather than in discrete installments, matching how the coverage itself accrues over the term.

Beyond these default mechanisms, three further routes unlock configurations that are operationally awkward in traditional ILS.

Premium financing. Premium finance companies already pay premium on behalf of insureds; the simplest route onchain mirrors that arrangement — the financier pays into the vault and is repaid off-protocol under a standard Premium Finance Agreement. A more native variant takes onchain security directly: the financier holds the cedent's protection token as collateral against repayment, recoverable if the cedent defaults on the financing. Both variants operate today, but only the onchain-collateralized version removes the need for off-chain reconciliation and separate legal enforcement.

Premium sponsorship. Donors pay directly into beneficiary vaults. Sovereign parametric insurance in developing economies already runs on donor-subsidized premium: Jamaica's 2021 cat bond, placed through the World Bank, secured $185 million of hurricane coverage with premium paid entirely by USAID, the UK, Germany, and Canada[31]. The same pattern underpins the African Risk Capacity[32], CCRIF SPC[33], and WFP's R4 Rural Resilience Initiative[34]. Today this flows through a stack of intermediaries—issuer, donor facility, placement agents, legal, calculation agent—before premium reaches investors. RIZK collapses the stack: donors pay directly into the vault. The mechanism extends to corporate groups (parent into subsidiary vaults) and sovereign support for state-owned infrastructure.

3.5Oracles and Orchestration

A parametric trigger is only as strong as the data that drives it. RIZK defines four criteria that any data source must satisfy:

Machine-ReadableStructured digital data that smart contracts can evaluate programmatically.
Publicly VerifiableRaw data accessible to both counterparties, and ideally any third party.
Objectively SourcedThe data provider has no economic stake in the trigger outcome.
TimelyData available at the frequency the vault's evaluation requires.

RIZK is oracle-agnostic by design. The path from raw data to trigger evaluation proceeds through cryptographic attestation, onchain posting, and smart-contract evaluation against the trigger condition set at vault inception.

Safeguards layer above the primary feed: cross-source validation, a dispute period before payout execution, human escalation to a pre-agreed arbitration panel, and a manual fallback for feed outages. The safeguards stack is proportional to vault size. The protocol is designed so that material collateral never sits on the validity of a single data point.

Graduated and tranched payouts. A parametric trigger does not have to be binary. Many coverages use attachment and exhaustion points that produce a graduated payout: no payout below an attachment threshold (e.g., sustained wind speed above 150 km/h, or fewer than 35 vessels passing through the Strait of Hormuz in a 7-day window), partial payout between attachment and exhaustion, full payout above exhaustion. Tranched structures operate similarly, with discrete payout steps at multiple thresholds. The vault’s trigger evaluation reads the raw measurement from the oracle and applies the coverage’s payout curve to compute what is owed. The oracle’s job is not to answer “did the event happen” but to supply the measurement; the vault computes the payout.

Orchestration. Beyond the oracle’s role in trigger evaluation, a RIZK vault requires ongoing execution of time-based and state-based actions throughout the coverage term. Orchestration is the layer that handles these.

Premium monitoring. The premium-yield vault tracks whether premium is being paid on the agreed schedule (Section 3.4). When payment is missed, the vault signals the protection-collateral vault to impair coverage. The monitoring mechanism can be implemented as scheduled calls to the vault’s check function — via keeper networks, automation layers, or direct vault logic. The choice of implementation is a configuration decision per vault.

Strategy harvests and rebalances. The collateral strategy contract (Section 3.3) must be periodically invoked to harvest yield, compound rewards, or rebalance between yield sources. Like premium monitoring, these are time-triggered calls rather than event-triggered ones.

Term-end settlement. At the end of the coverage term, if no trigger has fired, the vault returns collateral to the capital provider and winds down its state. If premium was streamed, the final accrual is settled.

Payout execution. When the trigger fires mid-term, orchestration moves from time-based to event-based: the oracle post triggers vault evaluation, the strategy contract unwinds its external position, and the collateral is paid out to the protection token holder.

In the current design these tasks are separated from the vault’s core contract — the vault holds state and enforces rules, while external processes trigger the transitions. This separation keeps the core vault contract minimal and auditable, and lets implementation choices (keeper networks, automation layers, custom executors) evolve independently of the vault itself.

3.6Institutional Controls

Institutional participants cannot transact with pseudonymous wallets, hold positions without enforceable eligibility rules, or operate without a retrievable audit trail. Traditional ILS meets these requirements through legal agreements, broker-led KYC, and off-chain recordkeeping that fires after a transaction has been initiated. RIZK meets them at the protocol layer — rules run before a transaction executes, and compliance state is recorded alongside every transfer.

Identity and authorization. Each wallet interacting with a RIZK vault is bound to a verified legal entity through an onboarding process covering KYC, AML, sanctions screening, and — where relevant — investor accreditation. The binding is maintained in a protocol-level identity registry that links the wallet to the entity’s jurisdiction, accreditation status, and authorized representatives. Personally identifying information is held off-chain by the compliance provider; the registry holds only a hash and the enforceable attributes. When authorization changes — a signatory leaves the firm, a new representative is added, accreditation lapses — the registry is updated and the changes take effect immediately at the protocol level.

Eligibility enforcement. Every vault sets eligibility rules at inception: which jurisdictions may hold positions, what accreditation thresholds apply, which sanctions lists are checked. These rules are enforced at the protocol layer through two complementary mechanisms. For closed counterparty structures — bilateral collateralized reinsurance, private placements with known investors — a vault-level whitelist restricts interaction to a pre-approved set of addresses. For positions intended to circulate as regulated securities, the position tokens themselves are wrapped using ERC-3643[35] or an equivalent compliance-aware token standard, which embeds eligibility checks in the token and enforces them on every transfer regardless of venue[36]. In both cases, a transfer to an ineligible address reverts atomically before execution.

Transfer controls and real-time screening. Beyond static eligibility rules, ongoing obligations — sanctions screening, AML transaction monitoring — are enforced on every transfer. Protocol-level hooks can route each transfer through compliance-provider screening before the transaction completes, returning an allow/deny decision in real time. Updates to sanctions lists or watchlists propagate immediately rather than waiting for a periodic refresh. This is stronger than the TradFi equivalent, where screening typically happens at the custodian level after the trade and remediation happens through manual unwinding.

Anatomy of a transfer Rule source Identity registry Vault config Compliance provider Transfer initiated Identity Eligibility Screening Execute Record written Any check failure reverts the transfer atomically — the attempt is preserved in the audit record.
Fig. 11Compliance gate — anatomy of a transfer

Audit trail and regulatory reporting. Every transaction is recorded onchain together with its compliance context: the identity hash of the participating entities, the eligibility decision, the screening result, the vault state at the time of transfer. The record is immutable and queryable. A regulator or internal auditor requesting “all transfers involving jurisdiction X within Q3” receives the answer from a single onchain query, rather than a multi-week reconciliation across custodians, brokers, and counterparties. This is a structural improvement over traditional ILS recordkeeping, not a parity claim.

Privacy with selective disclosure. Institutional counterparties require confidentiality of their positions and balances, but regulators and auditors require visibility. RIZK’s privacy strategy works along two dimensions. At the protocol level, the architecture can integrate privacy primitives emerging in onchain infrastructure — privacy-focused execution environments, zero-knowledge proof systems for balance confidentiality, and selective-disclosure mechanisms such as accreditation proofs and viewing keys that grant designated parties read access to otherwise encrypted state. At the deployment level, vaults can run on public chains where privacy primitives operate over a transparent substrate, or on permissioned chains where visibility is restricted by default. These choices involve real trade-offs: privacy-focused L2s have less mature institutional tooling than public L1s; permissioned chains sacrifice composability with public DeFi; selective-disclosure primitives depend on key-management discipline. The appropriate mix depends on the counterparties’ confidentiality requirements and the applicable regulatory framework.

Traditional compliance sits outside the transaction: KYC at onboarding, eligibility confirmed through legal agreements, post-trade reconciliation. In RIZK, compliance is embedded in the transaction itself. This is the architectural change that makes institutional participation viable — not because onchain infrastructure is more permissive, but because it is more enforceable.

Section FourLegal and Regulatory Perimeters

RIZK executes risk transfer onchain, but the instrument must still have legal standing off-chain. The vault handles collateral, trigger logic, settlement, and tokenized ownership. The legal wrapper gives the arrangement enforceability, regulatory recognition, and tax and accounting clarity. RIZK therefore operates through a dual structure: an onchain execution layer and an off-chain legal vehicle.

A RIZK transaction exists in two forms at once. Onchain, it exists as a vault that holds collateral and executes the economic terms. Off-chain, it exists as a legal arrangement entered into by a recognized vehicle. These are two expressions of the same instrument. The legal documentation defines the rights and obligations; the smart contract executes them. Every material term — trigger conditions, payout logic, collateral requirements, eligibility rules, and tenor — must be reflected in both.

The legal wrapper depends on the product, the jurisdiction, and the needs of the risk holder.

In Bermuda, RIZK can use structures such as the Special Purpose Insurer (SPI) and, for parametric products, the proposed Parametric Special Purpose Insurer (PSPI). The BMA opened public consultation on the PSPI in early 2026, with a target to add it to the insurance regulations before the end of Q2 2026[37]. These vehicles are well suited to reinsurance and insurance-linked structures and align naturally with trigger-based products. Bermuda also offers Segregated Account Companies (SACs), which allow new products to launch through ring-fenced cells within an existing licensed platform rather than through a standalone vehicle from day one.

In Singapore, RIZK can use a Special Purpose Reinsurance Vehicle (SPRV) for issuance within the MAS framework. Singapore is also relevant as an operating and client-facing base, particularly for Asia-linked risks. Its ILS Grant Scheme, extended through the end of 2028, covers up to 70% of upfront issuance costs for Asia-Pacific cat bonds, capped at SGD 1 million, and up to 50% for non-APAC cat bonds[38]. The framework is actively producing listings: a $225 million World Bank cat bond providing earthquake and cyclone cover for the Philippines was the first cat bond listed on SGX[39].

Other jurisdictions offer analogous cell-based structures, often called Protected Cell Companies (PCCs). The terminology varies, but the function is similar: ring-fenced legal compartments that can house individual issuances or risk pools without requiring a separate licensed entity each time.

The flexibility gap. Onchain, the vault architecture allows tokens to transfer, fractionalize, and compose without friction. Off-chain, the legal wrapper typically assumes a static structure — a named counterparty, fixed terms, enforceable between two identified parties. The asymmetry is a live design question: when a collateral position token transfers from one investor to another mid-term, the smart contract cleanly registers the new holder, but the off-chain legal instrument may still name the original. Bridging this requires structural choices — in the legal wrapper, in the documentation model, and potentially in the regulatory framework the transaction sits within.

The answer depends on how much of the onchain flexibility needs to be mirrored off-chain, and how quickly. Cell-based legal structures treat the cell, rather than the individual holder, as the unit of legal agreement — most of the onchain flexibility then operates within the cell’s investor pool. Dynamic novation models link the legal counterparty to whoever holds the token, which requires either regulatory frameworks that recognize such structures or purpose-built clauses that courts will accept. Each structural approach has different trade-offs around enforceability, operational overhead, and regulatory maturity. Document-automation tools — including AI-assisted drafting — can reduce the paperwork cost of whichever structure is chosen, but do not resolve the underlying question of what structure is legally sound.

This is an area of active work. The appropriate model depends on the product, the jurisdiction, the sophistication of the counterparty, and the regulatory framework available at the time of issuance. RIZK is designing its legal architecture to accommodate multiple answers rather than commit prematurely to one.

The appropriate jurisdiction for a given RIZK transaction depends on where the risk holder is located, where the risk is written, where the sponsor or cedent wants the vehicle to sit, and which regulatory regime best fits the instrument. In practice, Bermuda is a natural domicile for reinsurance and ILS vehicles, while Singapore is a strong base for issuance, operations, and Asia-facing transactions. As the protocol expands, other jurisdictions may become relevant — particularly where they offer suitable frameworks for digital securities, stablecoin collateral, or risk-transfer vehicles. RIZK’s structure is designed to accommodate this rather than commit to a single path.

Section FiveConclusion

Catastrophe bonds, collateralized reinsurance, and sidecars have already established the foundations of a capital-markets approach to risk transfer. But in legacy form, those instruments remain operationally heavy, structurally fragmented, and limited in what they can become once issued.

Onchain infrastructure changes that. Once represented onchain, risk-transfer positions become programmable financial objects: fractionalizable, transferable, composable, and collateralizable.

RIZK is built around that transformation. It brings existing risk-transfer instruments into a programmable environment where they can do more than they could before: move more easily, reach a broader capital base, and support structures that are difficult or uneconomic to achieve on legacy rails.

The opportunity is not simply to make existing markets faster. It is to expand the design space of risk transfer itself, so that more risks can be financed, more capital can participate, and protection can be structured with greater flexibility than the current market allows.

Risk means danger. RIZK means sustenance, provision, blessing.
We are turning global danger into the world's sustenance.

References

  1. [1] World Economic Forum, "The Global Risks Report 2025," 20th Ed., Jan 2025. weforum.org
  2. [2] Eurasia Group, "Top Risks 2026," Jan 2026. eurasiagroup.net
  3. [3] Polycrisis.org, "Global Risk Decision-Maker Survey 2025/2026," 2025.
  4. [4] Swiss Re Institute, "sigma: Natural catastrophes in 2024," No. 1/2025. swissre.com
  5. [5] Swiss Re, "Global insured losses reach USD 109bn in 2025," Mar 2026. swissre.com
  6. [6] Allianz Commercial, "Allianz Risk Barometer 2025," Jan 2025. allianz.com
  7. [7] Munich Re, "Cyber insurance: Risks and Trends 2025." munichre.com
  8. [8] Arctic Wolf, "The State of Cybersecurity: 2025 Trends Report," Aug 2025.
  9. [9] WEF, "Global Cybersecurity Outlook 2026," Jan 2026. weforum.org
  10. [10] Lee Harris, "Reinsurers extend profit boom as they cut cover," FT, Dec 2025. ft.com
  11. [11] Artemis.bm, "Q4 2025 Cat Bond & ILS Market Report," Jan 2026. artemis.bm
  12. [12] Aon, "Reinsurance Market Dynamics: Alternative Capital," 2026.
  13. [13] Artemis.bm, "UCITS cat bond funds added $5.3bn+, reaching $19.12bn AUM," Jan 2026. artemis.bm
  14. [14] Aon, "Insurance needs $1tn from private equity to close gaps, says Aon chief," Financial Times, Jun 2025. ft.com; and "AI opportunities for insurance industry are real and meaningful, says Aon CEO Case," Reinsurance News, Jan 2025. reinsurancene.ws
  15. [15] Braun & Kousky, "Catastrophe Bonds: A Primer," Wharton Risk Center, Jul 2021. wharton.upenn.edu
  16. [16] Bloomberg, "Stablecoins Settle $33 Trillion in 2025," 2026.
  17. [17] Visa, "Stablecoin Settlement Pilot Update," Jan 2026.
  18. [18] White House, "GENIUS Act," Jul 2025. whitehouse.gov
  19. [19] EY, "Global approaches to stablecoin regulation," Jul 2025. ey.com
  20. [20] Stripe & Paradigm, "Introducing Tempo," Sep 2025. fortune.com
  21. [21] JPMorgan Chase, "2025 Annual Report: CEO Letter," Apr 2026. jpmorganchase.com
  22. [22] InvestAX / CoinDesk, "RWA Tokenization Crosses $30 Billion," 2025.
  23. [23] Blockridge / RWA.xyz, "Institutions Leading Tokenization in 2025." blockridge.com
  24. [24] Standard Chartered & Synpulse, "Tokenised Assets," Jun 2024.
  25. [25] HTX Insights, "2025 Prediction Market Annual Report," Jan 2026.
  26. [26] Santoro et al., "ERC-4626: Tokenized Vault Standard," 2022. eips.ethereum.org
  27. [27] DefiLlama, "Protocol TVL Rankings," Apr 2026. defillama.com
  28. [28] The Block, "Kraken launches DeFi Earn," 2025.
  29. [29] Apollo / Morpho, strategic partnership, 2025.
  30. [30] Uniswap Labs, "BUIDL on UniswapX," Feb 2026.
  31. [31] World Bank, "Jamaica $185M Storm Protection," Jul 2021. worldbank.org
  32. [32] African Risk Capacity, "How ARC Works," 2024. arc.int
  33. [33] CCRIF SPC, "Regional Risk Pools," 2024. ccrif.org
  34. [34] WFP, "R4 Rural Resilience Initiative." wfp.org
  35. [35] Tokeny, "ERC-3643: T-REX Protocol." eips.ethereum.org
  36. [36] ERC3643.org, "ISO Standardization," 2025. erc3643.org
  37. [37] BMA, "PSPI Consultation Paper," Jan 2026. bma.bm
  38. [38] MAS, "ILS Grant Scheme," extended through 2028. mas.gov.sg
  39. [39] World Bank, "First Cat Bond on SGX: Philippines," Nov 2019. worldbank.org
  40. [40] Offerijns, Sinelnikova, Arun, Santoro, Ali, Martins, "ERC-7540: Asynchronous ERC-4626 Tokenized Vaults," Ethereum Improvement Proposals, Oct 2023 (finalized Jun 2024). eips.ethereum.org
  41. [41] Offerijns, Sinelnikova, Arun, Santoro, Ali, "ERC-7575: Multi-Asset ERC-4626 Vaults," Ethereum Improvement Proposals, Dec 2023. eips.ethereum.org