defirisk.co
rubric v1.7.0

Immutable oracle address

A oracle & external dependencies factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Critical factor. A Red on this factor alone is sufficient to gate a protocol to grade D or F regardless of other category rollups.

Methodology how we score #

**What this measures** This factor checks whether the protocol has hard-coded an oracle address — using the EVM `immutable` keyword, a non-EVM hardcoded constant, or a closed-source binary oracle embedding — such that the address cannot be replaced by an authorised admin without deploying new contract code. Source inspection, on-chain reads, and protocol documentation are used across all substrate types (EVM, non-EVM, closed-source).

**Why it matters** An oracle that cannot be swapped out by an admin becomes a single load-bearing dependency with no operational escape valve. Even a high-quality aggregated feed (Chainlink, Pyth) becomes a critical failure point if the asset it prices depegs, the feed is deprecated, or the aggregator experiences an incident — because the protocol has no path to emergency substitution. The 2024–2026 period produced four stablecoin-oracle incidents in 14 months (USR, USDX, xUSD, USD0++) where immutable oracle addresses prevented the protocol from reacting to peg events, leading to this factor being promoted to critical status under rubric v1.4 in April 2026. This failure mode is orthogonal to RD-F-053: a protocol can use a Chainlink-grade source yet still be critically exposed if it cannot replace that source when the underlying asset or feed fails.

**Green / Yellow / Red** Green is scored when an admin-replaceable oracle wrapper exists with a governance-controlled setter, a timelock, and documented change procedures. Yellow is scored when the setter exists but is undocumented, uses an EOA without multisig, or has no timelock. Red is scored when the oracle address is hardcoded (`immutable`, compile-time constant, or opaque binary) with no admin path to replacement.

**Common gray cases** Gray is applied when source code is unavailable or partially verified and the oracle binding mechanism cannot be confirmed from inspection alone.

**Notable historical examples** No cross-hacked incidents are currently linked in the database for this factor.

**★ Critical factor** This factor alone is sufficient to trigger a D or F grade under rubric v1.7.0. Immutable oracle binding removes the protocol team's last operational lever to respond to feed failure, depeg, or aggregator incidents — transforming any oracle weakness into an unrecoverable structural exposure.

Measurement what to look for #

Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.

Data & output #

Data source
Source inspection for `immutable` keyword on oracle address variables + check for admin `setOracle`/`updateFeed` function on Etherscan-verified source
Output format
Green / Yellow / Red · critical gate active
Evidence artifact
Source excerpt of oracle address declaration + admin-setter function (or absence) + curator note on adapter wrapper status
Confidence signal
green = oracle address configurable via admin setter with timelock; yellow = oracle address configurable but no timelock on update; red = oracle address `immutable` with no admin-replaceable wrapper; gray = source unverified

Scored protocols 80 carry this factor #

Protocol RD-F-180
Aave v3 ethereum green Across Protocol ethereum yellow Aerodrome Finance base not_applicable Axelar Network ethereum green Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum red Chainlink CCIP ethereum yellow Circle USYC binance yellow Compound V3 (Comet) ethereum red Concrete ethereum green Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum green Ethena ethereum yellow ether.fi ethereum green Euler V2 ethereum yellow Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum red GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum red Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid green Lido ethereum yellow Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum yellow Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum red Multipli ethereum red Ondo Finance ethereum green OpenEden ethereum green Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum yellow Polymarket polygon red QuickSwap polygon green Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar red Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron not_applicable Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum not_applicable Synapse Protocol ethereum not_applicable Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum green
8 red · 30 yellow · 23 green

Linked hacks 1 historical incident #

relatedAave V3 — CAPO (Correlated Asset Price Oracle) misconfigured price feed for a freshly-listed correlated asset → mispriced collateral → cascade of involuntary liquidations2026-03-12 · $862K · CAPO (Correlated Asset Price Oracle) misconfigured price feed for a freshly-listed correlated asset → mispriced collateral → cascade of involuntary liquidations · Oracle config posture factor — CAPO listing process gap allowed mis-correlated mapping into production
rubric_version v1.7.0 factor RD-F-180 category 3 carried 80 critical yes