Security-Council threshold reduction (RT)

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a protocol's Security Council multisig executes a threshold reduction (e.g., from 3-of-5 to 2-of-5), a timelock removal, or a new-signer addition within 14 days of either of the previous two event types. The signal is generated by monitoring multisig contract events for threshold modification functions and signer-change events on known Security Council addresses. This factor was added in v1.1 (batch-24) as a specific sub-class of RD-F-182 following the Drift Protocol incident. Category 6 context: this is an exploit-in-progress signal that fires during Security Council governance manipulation — the enabling step before a DPRK-class insider drain.

**Why it matters** The Drift Protocol incident (April 2026, $285M) is the direct evidence base for this factor: a 3-of-5 Security Council threshold reduction and timelock removal were executed on March 25–27, and an admin key transfer occurred on April 1, six days before the $285M DPRK exploit. The threshold reduction lowered the required signers to compromise the Security Council from three to two, materially reducing the attack cost. The static-axis equivalent of this signal is RD-F-031 (signer rotation recency). The combination of threshold reduction and same-window timelock removal is a specific pattern not captured by either the general bridge-signer-change signal (RD-F-103) or the governance-proposal-execution signal (RD-F-101), warranting its own factor.

**Green / Yellow / Red** Green is the baseline when no Security Council threshold reductions or timelock removals have occurred in the trailing 30 days, or when a documented and governance-forum-approved rotation is underway. Yellow fires when a signer addition occurs following governance disclosure — a normal rotation event. Red fires when a Security Council threshold reduction (lowering required signers) or timelock removal is executed within any 14-day window, particularly without prior governance-forum discussion.

**Common gray cases** Gray applies when the protocol does not have a Security Council (not applicable for non-bridge, non-Layer-2 protocols), or when the multisig management contract does not emit standard threshold-change events in a monitorable format.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect in real-time whether the bridge/protocol Security Council multisig executes a threshold reduction (e.g. 3/5 → 2/5), timelock removal, or new-signer addition within ≤14 days of either of those events.

Data & output #

Data source

Governance contract events + Safe/Gnosis `ChangedThreshold` / `RemovedOwner` / `AddedOwner` events via RPC subscription

Output format

Green / Yellow / Red

Evidence artifact

Event tx hash + before/after threshold + timestamp + 14-day window check

Confidence signal

green = signal not firing; red = threshold reduction or co-occurring governance-weakening event detected; gray = SC multisig contract not registered in monitoring

Scored protocols 80 carry this factor #

Protocol RD-F-182

Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum yellow Chainlink CCIP ethereum yellow Circle USYC binance green Compound V3 (Comet) ethereum green Concrete ethereum not_applicable Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum gray Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum yellow Ethena ethereum green ether.fi ethereum yellow Euler V2 ethereum not_assessed Falcon Finance ethereum green Fluid ethereum not_applicable Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum green Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron gray Kamino Lend solana yellow Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum yellow Maple Finance ethereum not_applicable Marinade Finance solana green Meteora solana gray mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum not_applicable Ondo Finance ethereum gray OpenEden ethereum gray Orca solana not_applicable PancakeSwap bsc gray Pendle Finance ethereum gray Polymarket polygon not_applicable QuickSwap polygon green Raydium solana green Rocket Pool ethereum gray Sanctum solana yellow Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar yellow Stake DAO ethereum green StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron not_applicable Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum green Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-182 category 6 carried 80 critical no