Guardian/pause-keeper distinct from upgrader
Ethena's assessment for RD-F-034 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
GATEKEEPER_ROLE exists in EthenaMinting, held by Ethena Labs staff and external third parties (market makers, exchanges). Gatekeepers can only disable mint/redeem (cannot re-enable — re-enable requires DEFAULT_ADMIN_ROLE). Meaningful separation of pause-keeper from upgrade/admin role.
Sources #
- GitHubEthenaMinting.sol — 'No timelock mechanism exists in this contract. Role changes and configuration updates execute immediately.'https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/EthenaMinting.solretrieved 2026-04-28
- Matrix of Multisig and Timelocks — Gatekeepers role: 'Disables mint/redeems...cannot re-enable'https://docs.ethena.fi/solution-design/key-trust-assumptions/matrix-of-multisig-and-timelocksretrieved 2026-04-28
Methodology #
Determine whether a pauser/guardian role exists and is held by an address distinct from the upgrader address.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol ethena factor RD-F-034 score green collected_at 2026-04-28 13:58:51