★ Immutable oracle address

Evidence summary #

[★ CANDIDATE — held per T-12 PD-017; flag for T-14 review] v2: rate providers (oracle addresses) are configurable by pool admins — not immutable. v2 Vault Authorizer is replaceable via setAuthorizer() (confirmed in IVault interface), and the current AuthorizerWithAdaptorValidation (0x6048A8c631Fb7e77EcA533Cf9C29784e482391e7) was itself set this way. v2 rate provider cache durations can be updated by governance. However, rate-provider changes in v2 currently lack a timelock (TimelockAuthorizer was deprecated, current Authorizer has no enforced delay). v3: rate providers are immutable per-pool at registration — but new pools can be deployed with corrected configurations, so the immutability is per-pool not protocol-level. Overall: oracle/rate-provider addresses are configurable in v2 (yellow: configurable but no timelock) and per-pool immutable in v3 (yellow: new pool needed to correct). Neither meets green (configurable with timelock).

Detail #

F180 definition: red = oracle address immutable with no admin-replaceable wrapper. Yellow = oracle address configurable but no timelock on update. Green = configurable via admin setter with timelock. v2 fails green (no timelock). v3 fails green (per-pool immutability requires new pool + migration). Both score yellow. F180 not counted in ★ critical total per PD-017.

Sources #

Methodology #

Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.

See the full factor methodology and distribution across all protocols →