Role separation: upgrade ≠ fee ≠ oracle

Falcon Finance's assessment for RD-F-035 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No confirmed role separation. Upgrade, DEFAULT_ADMIN_ROLE, and likely fee/oracle-config roles all appear to route to the same 4-of-6 Safe. One multisig rules all privileged functions.

Detail #

USDf proxy admin = 0x1E482B60… (Safe). USDf DEFAULT_ADMIN_ROLE holder = same Safe (via initialize(admin) call). No separate fee-management or oracle-config role addresses published. The Safety net for role separation — distinct addresses holding each role — is absent. All roads lead to the same 4-of-6 Safe with no separation of concerns between upgrade, parameter-change, and token-policy roles.

Sources #

Etherscan
USDf implementation ABI — no timelock-gated functionshttps://etherscan.io/address/0x3aDf34C09DAC24E4BAeFB1b1df4C2992edC2b789#coderetrieved 2026-05-12
Docs
Falcon Finance smart contracts page — no timelock listedhttps://docs.falcon.finance/resources/smart-contractsretrieved 2026-05-12

Methodology #

Determine whether the upgrade role, fee-collection role, and oracle-config role are assigned to distinct addresses.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-035 score red collected_at 2026-05-12 04:06:37