defirisk.co
rubric v1.7.0

Sudden admin-rescue/ACL change without discussion

crvUSD (Curve Stablecoin)'s assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

PRIMARY-SOURCE CORRECTION (reconciliation U3, 2026-05-16): Etherscan readContract on ControllerFactory 0xC9332fdCB1C491Dcc683bAe86Fe3cb70360738BC confirms admin() returns 0xbabe61887f1de2713c6f97e567623453d3c79f67 (Curve Deployer 2, an EOA). The admin was NEVER transferred to the Curve Ownership Agent (Aragon, 0x40907540d8a6C65c637785e8f8B742ae6b0b9968) despite the MixBytes June-2023 audit explicitly recommending DAO ownership; this state has persisted ~3 years. There has been no sudden ACL-change event — the admin position has been this deployer EOA continuously since contract creation on 2023-05-14. The un-transferred state is PUBLICLY KNOWN and audit-flagged (not concealed). F123 red requires confirmed concealed ACL change or insider-implant conduct; a static, openly-documented deployer-EOA admin is a Cat 2 decentralization failure (out of Cat 7 scope — governance-admin-analyst scores this), not a Cat 7 concealed insider conduct finding. Yellow: the single-step set_admin() means thi

Sources #

Methodology #

Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-123 score yellow collected_at 2026-05-16 19:09:40