defirisk.co
rubric v1.7.0

Sudden admin-rescue/ACL change without discussion

A dev identity & insider risk factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Critical factor. A Red on this factor alone is sufficient to gate a protocol to grade D or F regardless of other category rollups.

Methodology how we score #

**What this measures** This factor assesses whether the protocol has executed admin-rescue functions or access-control-list (ACL) changes without any corresponding discussion in public GitHub issues, pull requests, or governance forums. Measurement is conducted by cross-referencing on-chain ACL events against the public activity trail: curator queries the relevant GitHub repository and governance discussion archives for a matching discussion thread within a 14-day window before or after the change. Category 7 context: insider-implant patterns often surface through precisely this signal — privileged code changes committed in silence.

**Why it matters** Legitimate admin interventions are almost always preceded by community discussion, a security disclosure, or at minimum an internal PR. When a rescue or ACL change lands on-chain with no traceable rationale, it is structurally indistinguishable from a rogue insider preparing a drain. The Drift Protocol incident (April 2026) is the clearest recent precedent: a 3-of-5 Security Council threshold reduction and timelock removal were executed without governance-forum precedent discussion six days before a $285M DPRK-attributed exploit. Across the dataset, suspected insider involvement consistently appears alongside undiscussed admin actions — Uranium Finance, Kokomo Finance, and Kannagi Finance all show this pattern.

**Green / Yellow / Red** Green is scored when every admin-rescue invocation or ACL modification in the trailing 90 days has a corresponding public GitHub issue, PR, or governance post predating the on-chain transaction. Yellow applies when documentation exists but is sparse, post-hoc, or restricted to a private channel verifiable only via curator attestation. Red is scored when an admin-rescue or significant ACL change has been executed on-chain with no traceable public discussion in any channel — this single state alone triggers a critical flag under rubric v1.7.0.

**Common gray cases** Gray is assigned when the curator cannot access the protocol's communication channels (e.g., private Discord, closed Telegram), the repo is partially private, or the on-chain event predates the dashboard's monitoring window with no archived record.

**Notable historical examples** - **Uranium Finance** ($57.2M, 2021): Same-day v2.1 deployment followed by GitHub deletion; admin action with no discussion preceded exit. - **Snowdog (SnowdogDAO)** ($21M, 2021): Privileged challengeKey access exercised without prior community disclosure. - **Kokomo Finance** ($4M, 2023): Malicious upgrade executed by anon deployer with no PR or forum discussion; protocol was less than one week old. - **BrincFi** ($1.1M, 2021): Head of development retained full upgrade authority; no discussion before exercise. - **Kannagi Finance** ($1.1M, 2023): Anon team executed MainChef privileged withdrawal absent any governance discussion.

**★ Critical factor** A confirmed red state on this factor — an on-chain admin-rescue or ACL change with no traceable public discussion — is alone sufficient to trigger a D or F grade under rubric v1.7.0, regardless of all other category scores.

Measurement what to look for #

Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.

Data & output #

Data source
GitHub PR/issue search for ACL-change PRs + on-chain `RoleGranted`/`RoleRevoked` events + governance forum search
Output format
Green / Yellow / Red · critical gate active
Evidence artifact
PR or on-chain tx hash of ACL change + absence of discussion link + curator sign-off
Confidence signal
green = all ACL changes have corresponding public discussion ≥24h before merge/execute; yellow = discussion exists but <24h before change; red = ACL change with no public discussion or governance rationale; gray = repo is private and on-chain events not enumerable

Scored protocols 80 carry this factor #

Protocol RD-F-123
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum yellow Circle USYC binance yellow Compound V3 (Comet) ethereum green Concrete ethereum yellow Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum green deBridge ethereum not_assessed Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum yellow Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid yellow Lido ethereum green Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum yellow Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum yellow Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum yellow Ondo Finance ethereum yellow OpenEden ethereum yellow Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum green Sanctum solana yellow Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum yellow Spiko stellar yellow Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron yellow Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum yellow Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum yellow Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum green
0 red · 62 yellow · 14 green

Linked hacks 6 historical incidents #

causalLNDFi (LND.fi) — Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev)2025-05-09 · $1M · Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev) · ★ Sudden admin/ACL change absent issue/PR — DPRK insider class [via dashboard_risk_factors/Team anonymity: Pseudonymous; possible DPRK IT worker involvement]
causalKannagi Finance — Insider rug — privileged admin withdrawal on behalf of users (MainChef address)2023-07-29 · $1M · Insider rug — privileged admin withdrawal on behalf of users (MainChef address) · ★ Sudden admin-rescue / ACL change absent issue/PR discussion [via cross-hack: Factor 34: Suspected Insider Involvement]
causalKokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · ★ Sudden admin-rescue / ACL change absent issue/PR discussion [via cross-hack: Factor 34: Suspected Insider Involvement]
causalBrincFi — Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade2021-12-14 · $1M · Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade · ★ Sudden admin-rescue / ACL change absent issue/PR discussion [via cross-hack: Factor 34: Suspected Insider Involvement]
causalSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · ★ Sudden admin-rescue / ACL change absent issue/PR discussion [via cross-hack: Factor 34: Suspected Insider Involvement]
causalUranium Finance — Math bug — constant product formula check broken by inconsistent parameter change (1000→10000)2021-04-28 · $57M · Math bug — constant product formula check broken by inconsistent parameter change (1000→10000) · ★ Sudden admin-rescue / ACL change absent issue/PR discussion [via cross-hack: Factor 34: Suspected Insider Involvement]
rubric_version v1.7.0 factor RD-F-123 category 7 carried 80 critical yes