Role separation: upgrade ≠ fee ≠ oracle

Liquid Collective (LsETH)'s assessment for RD-F-035 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Partial on-paper role separation: Proxy Admin Safe (upgrade authority) vs Governor Safe (protocol parameters) vs Executor Safe (operations via Firewall). However, Proxy Admin Safe and Governor Safe have IDENTICAL 7-signer sets — any 4 of the same 7 signers can act as either Safe. Effective key separation between upgrade and parameter roles is zero. Only the Executor Safe has a distinct 3-signer set (separate from the 7).

Sources #

Internal
Data cache — Proxy Admin and Governor Safes have identical signer sets.research/protocols/liquid-collective/00-data-cache.json §sources.safe_multisigs[0].owners == [1].owners (identical 7-owner array)retrieved 2026-05-16
Etherscan
Governor Safe — identical 7-owner set to Proxy Admin Safe0x8EE3fC0Bcd7B57429203751C5bE5fdf1AB8409f3 vs 0xE3208Aa9d1186c1D1C8A5b76E794b2B68E6cb3a5retrieved 2026-05-17

Methodology #

Determine whether the upgrade role, fee-collection role, and oracle-config role are assigned to distinct addresses.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-035 score yellow collected_at 2026-05-16 19:46:23