Role separation: upgrade ≠ fee ≠ oracle

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor checks whether the upgrade, fee collection, and oracle configuration functions are assigned to distinct addresses or distinct multisigs — meaning no single address holds all three administrative powers simultaneously. The on-chain AccessControl or equivalent role mapping is queried for each of the three action types and compared for address overlap.

**Why it matters** Role separation across upgrade, fee, and oracle functions prevents a single key compromise from granting an attacker total protocol control. An attacker who gains access to the oracle setter role should not also be able to upgrade the protocol or drain fee revenues. In practice, many DeFi protocols use a single deployer-controlled multisig for all three roles — which means that any compromise of that multisig constitutes a simultaneous oracle, fee, and upgrade authority breach. The evidence base shows that full-authority-concentration in a single key or multisig is strongly correlated with post-compromise total drains rather than partial impacts.

**Green / Yellow / Red** Green is assigned when upgrade, fee, and oracle roles are held by three distinct addresses or multisigs with no overlap. Yellow covers two-of-three role separation (any one role shared with another). Red is assigned when all three roles are controlled by a single address or multisig, giving a single compromise total administrative authority.

**Common gray cases** This factor is grayed when the protocol does not have all three role types (e.g., no oracle configuration because it uses an immutable oracle address — which is separately assessed under RD-F-180).

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether the upgrade role, fee-collection role, and oracle-config role are assigned to distinct addresses.

Data & output #

Data source

`AccessControl` role member enumeration via RPC for upgrade/fee/oracle role IDs

Output format

Green / Yellow / Red

Evidence artifact

Role → address mapping JSON + distinctness check

Confidence signal

green = all three roles held by distinct addresses; yellow = two of three distinct; red = single address holds all three; gray = protocol does not have all three role types

Scored protocols 80 carry this factor #

Protocol RD-F-035

Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum green Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche red BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance yellow Compound V3 (Comet) ethereum yellow Concrete ethereum yellow Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum green deBridge ethereum yellow Dolomite ethereum red dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum yellow ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum red Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana yellow Jupiter solana gray Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid yellow Lido ethereum green Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum yellow Marinade Finance solana green Meteora solana yellow mETH Protocol ethereum green Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum yellow Ondo Finance ethereum yellow OpenEden ethereum green Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon red QuickSwap polygon red Raydium solana green Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar yellow Stake DAO ethereum yellow StakeWise v3 ethereum red Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron yellow Superstate ethereum red Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum yellow Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-035 category 2 carried 80 critical no