Hot-patch deploys without timelock (last 30 days)

Concrete's assessment for RD-F-138 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

VaultProxy (0x0e609b) upgraded May 6, 2026 (11 days before profile date) via Safe execTransaction with no timelock. ConcreteFactory has no timelock mechanism. Hot-patch-class deploy without delay confirmed in last 30 days.

Sources #

Internal
00-profile.md §3 — VaultProxy May 2026 upgrade (no timelock)Profile §3: VaultProxy 0x0e609b 'upgraded ~2026-05-06 (11 days before profile date)'; proxy admin = ConcreteFactoryretrieved 2026-05-17
Etherscan
ConcreteFactory owner Safe — no timelock-gated upgradesConcreteFactory owner Safe: no TimelockController interactions in 26 executions — all direct execTransactionretrieved 2026-05-17

Methodology #

Count upgrades executed in the last 30 days without going through the declared timelock path.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol concrete factor RD-F-138 score red collected_at 2026-05-17 14:36:59