Timelock on sensitive actions

Kinetiq's assessment for RD-F-033 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No sensitive actions are timelocked. Mint (via MINTER_ROLE reassignment), pause (PauserRegistry), rescue (TREASURY_ROLE), setOracle (MANAGER_ROLE on OracleManager), and upgrade (ProxyAdmin Safe) all execute immediately upon multisig authorization with no time-delay buffer. No OZ TimelockController or equivalent deployed.

Sources #

GitHub
StakingManager.sol source (Code4rena audit repo)StakingManager.sol: rescueToken() TREASURY_ROLE, executeEmergencyWithdrawal() SENTINEL_ROLE — both execute immediately; no timelock checkretrieved 2026-05-17

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol kinetiq factor RD-F-033 score red collected_at 2026-05-17 15:29:57