Security-Council threshold reduction (RT)

Evidence summary #

Security-Council threshold reduction event (RT signal, batch-24) | Applicable: YES (HIGHLY RELEVANT) | The 4-of-6 Safe IS the effective Security Council. No threshold change detected as of 2026-05-12 (nonce=16, threshold stable at 4-of-6 since Jan 2025). CRITICAL NOTE: Falcon has no timelock — it is already in the permanently post-timelock-removal state (the Drift precondition is baked in). Any threshold reduction from 4-of-6 would be an immediate maximum-severity event. Signal not currently firing.

Detail #

F182 definition: multisig executes a threshold reduction (e.g., 3/5 → 2/5), or a timelock removal, or a new-signer addition within <=14 days of either of the above. The Drift Apr 2026 precedent ($285M DPRK exploit) used exactly this pattern: 3/5 → 2/5 SC threshold change + timelock removal 6 days before exploit. Falcon posture: (1) Admin Safe 0x1E482B60bf19Cb1cc859389e0eA3DED153f16Bd7 current threshold = 4-of-6, unchanged since deployment on 2025-01-16 (nonce=16 transactions executed, no threshold changes identified from public Safe API). (2) No timelock has ever existed — Falcon is permanently in the 'post-timelock-removal' state that Drift entered 6 days before its exploit. This is not a signal fire but a structural risk pre-condition. (3) Any future threshold reduction (e.g., 4→3 or 4→2) would be an immediate tier-A fire for this signal. Safe API nonce=16 confirms 16 total transactions with no detected owner/threshold changes. Signal: green (not currently firing) with elevated structural concern already captured by RD-F-102 yellow.

Sources #

Methodology #

Detect in real-time whether the bridge/protocol Security Council multisig executes a threshold reduction (e.g. 3/5 → 2/5), timelock removal, or new-signer addition within ≤14 days of either of those events.

See the full factor methodology and distribution across all protocols →