Guardian/pause-keeper distinct from upgrader

Beefy Finance's assessment for RD-F-034 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Strategy contracts define onlyManager = owner OR keeper. Keeper can call panic(), pause(), unpause() and managerHarvest() — the pause/emergency role is partially separate from upgrade role (only owner can upgradeStrat). However, keeper is set by the manager (owner or keeper), so the keeper role is not fully independent. No distinct guardian multisig separate from the dev multisig exists.

Sources #

Docs
Beefy StratFeeManager Contract DocumentationonlyManager modifier: require(msg.sender == owner() || msg.sender == keeper, '!manager')retrieved 2026-05-16
Docs
Beefy Strategy Contract DocumentationKeeper can panic strategy; owner can upgradeStrat — partial role separationretrieved 2026-05-16

Methodology #

Determine whether a pauser/guardian role exists and is held by an address distinct from the upgrader address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol beefy factor RD-F-034 score yellow collected_at 2026-05-16 13:10:30