★ Sudden admin-rescue/ACL change without discussion
Dolomite's assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[CRITICAL] The 2-of-3 GnosisSafe + PartiallyDelayedMultiSig structure allows operational admin changes (market listings, parameter updates, interest rate setter changes) without mandatory public forum discussion. Four timelock-bypass functions are explicitly documented: ownerSetMarketIsClosing (0xef6957d0), ownerSetMarketMaxWei (0x0cd30a0e), ownerSetInterestSetter (0x121fb72f), GLPWrappedTokenUserVaultFactory::setUserVaultImplementation (0x35598a02) - all execute immediately without the 1-day delay. Governance docs state operational admin is by protocol operators without DAO vote. GitHub safe-transactions folder exists across 10 chains confirming regular admin activity. BeraVote/DIP process is active for major decisions (DIP-02 Aug 2025, DIP-03 Aug 2025 visible). No specific undisclosed admin-rescue or governance-weakening ACL change identified (no Drift-class 3/5->2/5 + timelock removal found). Rated yellow: bypass is structurally documented and operationally justified, but full safe-
Sources #
- DocsAdmin Privileges | Dolomitedocs.dolomite.io/admin-privileges listing all 4 timelock-bypass functions by selector and explaining their emergency rationaleretrieved 2026-05-16
- Dolomite safe-transactions folderdolomite-margin-modules safe-transactions folder structure across 10 chains confirming regular admin governance activityretrieved 2026-05-16
- Dolomite Governance - operator vs DAO splitdocs.dolomite.io/dolomite-governance distinguishing operator-managed changes from DAO-required BeraVote proposalsretrieved 2026-05-16
Methodology #
Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.
See the full factor methodology and distribution across all protocols →