defirisk.co
rubric v1.7.0

Admin/upgrade transaction in mempool

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when an admin-role or upgrade transaction appears in the public mempool — before block confirmation — from an admin, upgrader, or owner address of the monitored protocol. The signal is generated by monitoring mempool transactions from known protocol-admin addresses against a library of admin-function signatures (upgradeTo, transferOwnership, grantRole, setAdmin, pause, unpause). Category 6 context: admin transactions appearing in the mempool provide a last-moment warning window before the transaction confirms — typically five to 60 seconds on fast chains.

**Why it matters** Admin transactions that initiate protocol changes are the on-chain execution step of governance decisions — or, in the case of rogue-insider attacks, the execution step of a drain. EasyFi ($59M, 2021) had a single admin key executing transfer() with no timelock — the admin transaction appearing in the mempool would have been the only pre-confirmation warning. Munchables ($62.5M, 2024) involved a proxy upgrade to an unverified implementation — the upgrade transaction appearing in the mempool was the final visible step before the drain. Even with seconds of lead time, a mempool alert enables automated circuit breakers and depositor withdrawal initiation.

**Green / Yellow / Red** Green is the baseline when no admin transactions from protocol-admin addresses appear in the mempool outside of scheduled governance windows. Yellow fires when an admin transaction appears in the mempool consistent with a scheduled and publicly disclosed upgrade or parameter change. Red fires when an admin transaction appears in the mempool with no corresponding governance discussion, outside of any known upgrade schedule, or from an admin address that has been dormant for 30 or more days.

**Common gray cases** Gray applies on chains where mempool is not publicly observable (private mempool chains, some L2s), or when admin transactions are routed through private relay services (Flashbots) that are not visible in the public mempool.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect an admin-role or upgrade transaction appearing in the mempool before confirmation.

Data & output #

Data source
Mempool stream + admin/upgrade function selector filter for this protocol
Output format
Green / Yellow / Red
Evidence artifact
Pending tx hash + function selector + from address + mempool arrival timestamp
Confidence signal
green = signal not firing; red = admin/upgrade tx detected in mempool; gray = mempool monitoring not configured

Scored protocols 80 carry this factor #

Protocol RD-F-102
Aave v3 ethereum yellow Across Protocol ethereum green Aerodrome Finance base gray Axelar Network ethereum gray Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance yellow Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum green ether.fi ethereum yellow Euler V2 ethereum gray Falcon Finance ethereum yellow Fluid ethereum yellow Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum gray Jito solana yellow Jupiter solana gray Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana green Kinetiq hyperliquid gray Lido ethereum green Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc green Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum green Marinade Finance solana gray Meteora solana gray mETH Protocol ethereum yellow Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum gray Orca solana not_applicable PancakeSwap bsc gray Pendle Finance ethereum yellow Polymarket polygon not_assessed QuickSwap polygon gray Raydium solana green Rocket Pool ethereum gray Sanctum solana green Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum gray Spiko stellar yellow Stake DAO ethereum green StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum gray Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum gray
0 red · 15 yellow · 25 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-102 category 6 carried 80 critical no