Guardian/pause-keeper distinct from upgrader

Liquid Collective (LsETH)'s assessment for RD-F-034 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No distinct guardian role with an independent address. TUPProxy admin (= Proxy Admin Safe) holds both upgrade AND pause authority. River.1.sol onlyAdmin functions are controlled by the Governor Safe (same 7-signer set as Proxy Admin Safe). Firewall.sol provides a per-selector allowlist for the Executor Safe, giving some function-level separation between Executor and Governor roles. However, the two most powerful roles (upgrade and protocol-admin) are controlled by addresses sharing identical signer sets — no meaningful guardian independence.

Sources #

GitHub
TUPProxy.sol — admin has both upgrade and pause authorityliquid-collective/liquid-collective-protocol/blob/main/contracts/src/TUPProxy.sol — onlyAdmin for pauseretrieved 2026-05-17
GitHub
Firewall.sol — per-selector executor allowlist (partial separation)liquid-collective/liquid-collective-protocol/blob/main/contracts/src/Firewall.sol — executorCanCall allowlistretrieved 2026-05-17

Methodology #

Determine whether a pauser/guardian role exists and is held by an address distinct from the upgrader address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-034 score yellow collected_at 2026-05-16 19:46:23