★ Rescue/emergencyWithdraw without timelock

Jupiter Perpetual Exchange's assessment for RD-F-041 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

IDL contains withdrawFees2 (admin-callable fee extraction from custody accounts) and no explicit rescue or emergencyWithdraw by name. Squads v4 multisig AxkJ8oH5... enforces 24-hour on-chain timelock (time_lock=86400s) for transactions it executes. If withdrawFees2 routes exclusively through the Squads multisig, a 24h delay applies. Closed-source prevents confirming whether a separate admin keypair can call withdrawFees2 directly without the timelock. Scored yellow: upgrade path has 24h delay; direct admin instruction routing through timelock is not verifiable from closed source. Prior yellow (no timelock confirmed) updated: timelock now confirmed for Squads-mediated path.

Sources #

GitHub
Anchor CPI client for Jupiter Perpetuals programJupiter Perpetuals CPI IDL: withdrawFees2 instruction admin-callable; no timelock account in instruction accounts list (routing through Squads multisig not verifiable from IDL alone)retrieved 2026-05-16
Tx
Squads v4 multisig config AxkJ8oH5 on SolscanOn-chain: Squads v4 multisig config AxkJ8oH5 time_lock=86400s; upgrade authority 5myNNm... is the Squads v4 vault PDA — any upgrade via multisig has 24h delayretrieved 2026-05-16

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol jupiter-perps factor RD-F-041 score yellow collected_at 2026-05-16 01:53:11