★ Sudden admin-rescue/ACL change without discussion
Ethena's assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL — YELLOW] No specific undiscussed ACL or admin multisig change event positively identified in 180-day assessment window. Monthly governance updates (April-June 2025) reviewed; contain no contract admin change records. However three unresolved gaps: (1) The DEFAULT_ADMIN_ROLE multisig (docs: '7 signatures required, internal + external stakeholders') is not reconciled with the Safe-API-confirmed 5-of-11 Dev Multisig — composition and address of the 7-signer multisig not publicly documented at contract level; (2) No published on-chain Timelock address means the docs-referenced 7-day time-lock on core function changes cannot be independently verified; (3) The April 2026 LayerZero DVN upgrade from 2-of-2 to 4-of-4 was announced publicly post-facto but its governance approval path is undocumented in the forum. Not scored red because no specific undiscussed ACL change has been positively confirmed. Yellow reflects admin role opacity and missing Timelock verification.
Sources #
- DocsKey Trust Assumptions | Ethenahttps://docs.ethena.fi/solution-design/key-trust-assumptionsretrieved 2026-04-28
- Ethena April 2025 Governance Update — no ACL change recordshttps://gov.ethenafoundation.com/t/ethena-s-april-2025-governance-update/567retrieved 2026-04-28
- Ethena restored LZ bridge — DVN upgrade from 2-of-2 to 4-of-4https://www.weex.com/news/detail/ethena-has-restored-the-layerzero-cross-chain-bridge-functionality-for-susde-and-usde-and-strengthened-security-configurations-698674retrieved 2026-04-28
Methodology #
Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.
See the full factor methodology and distribution across all protocols →