★ Single admin EOA
A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.
Methodology how we score #
**What this measures** This factor identifies whether the effective upgrade, ownership, or rescue role for a deployed protocol is held by a single externally owned account (EOA) — with no multisig co-signers and no timelock delay imposed on sensitive operations. An on-chain read of the owner, admin, or equivalent role slot is sufficient to surface this state. The factor is triggered when a single private key, if compromised, could immediately alter protocol parameters, drain funds, or upgrade implementation logic without any social or temporal check.
**Why it matters** A single admin EOA is the most direct path from key compromise to full protocol drain. Industry guidance consistently frames multi-party approval as the minimum bar for any protocol holding material user funds: OpenZeppelin notes that "secure access controls play a significant role in the security of governance modules" and that time-delayed execution prevents changes from bypassing community review. Across this dataset, the pattern is consistent — wherever a single EOA holds unchecked admin power, that key becomes the entire attack surface. The shift toward off-chain key compromise as the leading dollar-volume vector in 2024–2026 makes this factor increasingly load-bearing; no on-chain code quality compensates for a single point of key failure.
**Green / Yellow / Red** A protocol is graded green when the highest-privilege role is held by a multisig with a meaningful threshold (at least 2-of-N with N at least 3) and a timelock of at least 24 hours on upgrade and rescue actions. Yellow is assigned when a multisig exists but the timelock is absent or under 12 hours, or when the threshold is 2-of-3 with no additional safeguards. Red is assigned when any upgrade, rescue, or ownership role is held by a single EOA with no timelock, regardless of claimed operational intent.
**Common gray cases** This factor is grayed when the protocol has announced admin renunciation or migration but on-chain confirmation has not yet propagated at the time of assessment, or when proxy architecture obscures role assignment and the source cannot be verified within the assessment window.
**Notable historical examples** - **EasyFi** ($59M, 2021): Single admin key executed a direct token transfer with no timelock; the key compromise was the exploit mechanism. - **Multichain** ($126M, 2023): MPC key control centralized in a single party enabled complete cross-chain drain. - **Drift Protocol** ($285M, 2026): Security Council reduced from 3/5 to 2/5 and timelock removed days before exploit; effective admin authority concentrated in a compromised key. - **Radiant Capital** ($53M, 2024): Multisig transactions transferring pool ownership were the exploit delivery mechanism after signer compromise. - **bZx** ($55M, 2021): Compromised EOA held admin control across Polygon and BSC deployments; legitimate admin functions were the drain vector.
**★ Critical factor** This factor alone is sufficient to trigger a D or F grade under rubric v1.7.0 — a single red assessment here overrides all other category scores. A protocol where the sole admin key is an unguarded EOA presents a complete drain vector that no amount of code quality or audit coverage can mitigate.
Measurement what to look for #
Determine whether the effective upgrade/owner/rescue role is held by a single EOA (not a multisig) with no timelock on sensitive operations.
Data & output #
Data source
`owner()` / `admin()` / `DEFAULT_ADMIN_ROLE` read via RPC; check if address is EOA via `eth_getCode` (returns 0x for EOA)
Output format
Green / Yellow / Red
· critical gate active
Evidence artifact
Role address + `eth_getCode` result (0x = EOA) + tx hash of most recent role assignment
Confidence signal
green = role held by multisig or contract with timelock; red = role held by EOA; gray = role not determinable
Scored protocols 80 carry this factor #
Protocol RD-F-027
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum red Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance red Compound V3 (Comet) ethereum yellow Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum red Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum green Fluid ethereum yellow Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum green Jito solana green Jupiter solana yellow Jupiter Perpetual Exchange solana green JustLend DAO tron green Kamino Lend solana yellow Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc green Lombard Finance ethereum yellow M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum red Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum red Ondo Finance ethereum green OpenEden ethereum yellow Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum red Polymarket polygon green QuickSwap polygon green Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana red Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar yellow Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron yellow Superstate ethereum red Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum green Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron red Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum green Linked hacks 39 historical incidents #
causalAethir (decentralized GPU compute / DePIN; ATH token bridge) — Access control — unprotected/misauthorized `transferOwnership()` on AethirOFTAdapter; either missing `onlyOwner` modifier or compromised single-EOA admin key2026-04-09 · $400K · Access control — unprotected/misauthorized `transferOwnership()` on AethirOFTAdapter; either missing `onlyOwner` modifier or compromised single-EOA admin key · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — unauthorized `transferOwnership` call on AethirOFTAdapter is itself the critical admin action]
causalDrift Protocol (Solana perpetual futures DEX) — Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle2026-04-01 · $285M · Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Security Council threshold reduction (3/5→2/5, timelock removed) March 25–27; admin key transfer April 1]
causalIoTeX (ioTube Bridge) — Private key compromise → malicious contract upgrade → TokenSafe drain + MinterPool abuse2026-02-21 · $4M · Private key compromise → malicious contract upgrade → TokenSafe drain + MinterPool abuse · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
causalStep Finance — Compromised Executive Device → Stake Authorization Transfer2026-01-31 · $27M · Compromised Executive Device → Stake Authorization Transfer · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Stake authorization transfer to unknown address is the key on-chain action; Solana staking change events to fresh wallets during APAC of...]
causalAevo (formerly Ribbon Finance) — Proxy upgrade removed oracle access control — oracle price settable to arbitrary value → vault fully drained in atomic loop2025-12-12 · $3M · Proxy upgrade removed oracle access control — oracle price settable to arbitrary value → vault fully drained in atomic loop · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — the upgrade itself was an admin action (root cause)]
causalUSPD — CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain2025-12-04 · $1M · CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — proxy upgrade on Dec 4 was the trigger (admin-controlled, but by attacker)]
causalGANA Payment — Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass)2025-11-20 · $3M · Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass) · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — transferOwnership calls (8x) and reward rate manipulation are admin-level on-chain actions immediately preceding the drain]
causalCredix — Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral2025-08-05 · $5M · Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — multisig granted both Admin and Bridge roles to attacker address 6 days prior; this is the root exploitable signal]
causalHacken ($HAI token) — Bridge private key leak from decommissioned server → unauthorized token minting → dump2025-06-20 · $170K · Bridge private key leak from decommissioned server → unauthorized token minting → dump · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — unauthorized minting via compromised minter role key]
causalForce Bridge (Nervos Network) — Access control compromise — admin key leak → privileged unlock() drain across two chains2025-06-01 · $4M · Access control compromise — admin key leak → privileged unlock() drain across two chains · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — the exploit was itself an admin-level action; no on-chain governance signal preceding it]
causalZunami Protocol — Admin key compromise → withdrawStuckToken() drain of LP collateral2025-05-14 · $500K · Admin key compromise → withdrawStuckToken() drain of LP collateral · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — admin role grant is the proximate signal; 7-minute window between grant and drain]
causalLNDFi (LND.fi) — Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev)2025-05-09 · $1M · Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev) · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — Pool Admin role assignment was the enabling action]
causalZoth (RWA yield protocol) — Admin key compromise → malicious proxy contract upgrade → vault drain2025-03-21 · $8M · Admin key compromise → malicious proxy contract upgrade → vault drain · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — the malicious proxy upgrade is a critical governance/admin action; any monitor watching for deployer wallet upgrade transactions on prod...]
1inch (Fusion v1 resolver contracts) — Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery2025-03-05 · $5M · Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery · ★ Single admin EOA — adjacent [via cross-hack: Factor 36: Deprecated Contract With Live Admin Key]
causalOrange Finance — Admin private key compromise → proxy upgrade → privileged drain of LP vault positions2025-01-07 · $844K · Admin private key compromise → proxy upgrade → privileged drain of LP vault positions · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when ms threshold = 1 [via cross-hack: Factor 39: Multi-Sig Misconfigured as Single-Sig] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — proxy upgrade by compromised admin key was the attack itself]
causalTapioca DAO — Social engineering → private key compromise → vesting contract ownership takeover + stablecoin infinite mint → TAP dump + USDO/USDC LP drain2024-10-18 · $4M · Social engineering → private key compromise → vesting contract ownership takeover + stablecoin infinite mint → TAP dump + USDO/USDC LP drain · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Emergency Rescue function called by compromised owner key; stablecoin minter role added; ownership transferred on both vesting and stabl...]
causalRadiant Capital — Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain2024-10-16 · $53M · Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — multisig transactions transferring pool ownership and upgrading implementation were the exploit itself]
causalETHTrustFund (ETF) — Insider Rug Pull — Deployer Drains Treasury Smart Contract2024-07-21 · $2M · Insider Rug Pull — Deployer Drains Treasury Smart Contract · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — deployer directly transferred treasury funds; admin privilege over treasury was single-key]
causalRho Market — Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain2024-07-19 · Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — admin deployment of a misconfigured oracle was the root cause]
causalGala Games (GALA token contract) — Compromised Admin Account — Unauthorized Token Minting2024-05-21 · $22M · Compromised Admin Account — Unauthorized Token Minting · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — admin mint function exercised by compromised/unauthorized account]
causalGrand Base — Deployer wallet private key leak → unauthorized token minting → dump2024-04-15 · $2M · Deployer wallet private key leak → unauthorized token minting → dump · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — unauthorized token minting by compromised deployer key (effective admin action)]
causalIonic Money (formerly Midas) — Fake Collateral Listing (Social Engineering → On-chain Exploit)2024-02-04 · $7M · Fake Collateral Listing (Social Engineering → On-chain Exploit) · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — admin whitelisting of fake collateral was the enabling action]
causalOKX DEX (OKX Decentralized Exchange Aggregator) — Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals2023-12-13 · $3M · Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — proxy implementation upgrade by compromised Proxy Admin Owner was the trigger event] || ★ Single admin EOA — adjacent [via cross-hack: Factor 36: Deprecated Contract With Live Admin Key]
causalRocketSwap — Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions2023-08-14 · $869K · Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — farming contracts drained via internal admin address (privileged key holder action)]
causalSteadefi — Compromised Deployer Key → Ownership Transfer2023-08-07 · $1M · Compromised Deployer Key → Ownership Transfer · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Ownership transfer from deployer to attacker address is the key on-chain action; monitoring for unexpected ownership transfer events on ...]
causalMultichain (formerly Anyswap) — Private Key Compromise (MPC Address) — suspected backend breach or insider2023-07-07 · $126M · Private Key Compromise (MPC Address) — suspected backend breach or insider · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — MPC key control centralized in compromised party]
causalPoly Network (2nd incident) — Compromised 3-of-4 multisig → forged deposit proofs → cross-chain withdrawal drain2023-07-01 · $4M · Compromised 3-of-4 multisig → forged deposit proofs → cross-chain withdrawal drain · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — multisig validation was the attack vector itself]
causalSwaprum — Rug Pull via Malicious Contract Upgrade2023-05-18 · $3M · Rug Pull via Malicious Contract Upgrade · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Contract upgrade via owner/admin function is the key action; monitoring for reward contract upgrades by the deployer address would surfa...]
causalDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — contract upgrade deploying the flawed burnFrom function was an admin/deployer action visible on-chain]
causalHope Finance — Insider Exit Scam — Malicious Fake Router Pre-Deployed2023-02-20 · $2M · Insider Exit Scam — Malicious Fake Router Pre-Deployed · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — the SwapHelper config update was the trigger; signed by all 3 multisig owners]
Raydium — Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation2022-12-16 · $4M · Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — withdraw_pnl called by owner key; SyncNeedTake parameter modified. Both are admin-level operations]
causalFortress Protocol (lending arm of JetFuel Finance) — Oracle Manipulation + Malicious Governance Proposal2022-05-09 · $3M · Oracle Manipulation + Malicious Governance Proposal · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — malicious governance proposal was the key enabling step; was active and voteable for 3 days]
causalBent Finance — Insider Contract Manipulation (Malicious Balance Adjustment)2021-12-21 · $2M · Insider Contract Manipulation (Malicious Balance Adjustment) · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — the exploit *was* an admin action (manual balance manipulation via contract update)]
causalBrincFi — Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade2021-12-14 · $1M · Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
causalSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Team migrated all liquidity to custom AMM with challengeKey mechanism]
causalbZx (bzx.network) — Phishing → Private Key Compromise → Smart Contract Drain2021-11-05 · $55M · Phishing → Private Key Compromise → Smart Contract Drain · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — compromised EOA had admin control over Polygon and BSC deployments; its use constituted an admin action]
causalBondly Finance — Infinite Mint (Compromised or Insider Minting Key)2021-07-15 · $6M · Infinite Mint (Compromised or Insider Minting Key) · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — the minting key had unilateral control; its use was the exploit]
causalEasyFi (Easy Network) — Admin key theft via compromised machine (malicious MetaMask binary)2021-04-19 · $59M · Admin key theft via compromised machine (malicious MetaMask binary) · ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Single admin key execution of transfer() function with no timelock; this IS the exploit mechanism]
causalCover Protocol (formerly SAFE / SAFE2) — Infinite Mint — Blacksmith Farming Contract Withdrawal Bug2020-12-28 · $9M · Infinite Mint — Blacksmith Farming Contract Withdrawal Bug · ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — the team's own multisig transaction adding a new pool created the exploitable condition]
rubric_version v1.7.0 factor RD-F-027 category 2 carried 80 critical yes