defirisk.co
rubric v1.7.0

Admin = deployer EOA after 7 days

crvUSD (Curve Stablecoin)'s assessment for RD-F-043 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[CRITICAL] ControllerFactory deployed 2023-05-14. Admin as of 2026-05-16 is still 0xbabe61887f1de2713c6f97e567623453d3c79f67 (Curve Deployer 2 EOA). No admin transfer to Ownership Agent or any multisig has ever occurred — 3+ years post-deploy. MixBytes audit recommendation to transfer to DAO was not actioned. This is the defining governance failure for this protocol.

Sources #

  • Audit
    MixBytes crvUSD Audit (June 2023)MixBytes audit recommendation: 'it is imperative that only DAO owns the factory, not an EOA' — recommendation NOT implementedretrieved 2026-05-16
  • Etherscan
    ControllerFactory current adminControllerFactory admin() returns Deployer 2 EOA 3+ years after deployment; no set_admin() call to Ownership Agent found in tx historyretrieved 2026-05-16

Methodology #

Determine whether, at t = deploy+7d, the admin address still equals the deployer EOA with no evidence of transfer to a multisig.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-043 score red collected_at 2026-05-16 19:09:40