defirisk.co
rubric v1.7.0

Timelock duration on upgrades

Lombard Finance's assessment for RD-F-032 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

LombardTimeLock 0x055E84e7FE8955E2781010B866f10Ef6E1E77e59 getMinDelay() = 3600 seconds (1 hour). At $1.07B TVL, industry standard is 24-72 hours minimum. 1-hour delay is insufficient for users to exit before a malicious upgrade executes. Base LombardTimeLock 0xf1fc1bE000Db6fa2193aB75E461a5603400d031F also deployed with presumably same 1-hour delay.

Sources #

  • Etherscan
    https://etherscan.io/address/0x055E84e7FE8955E2781010B866f10Ef6E1E77e59retrieved 2026-05-05

Methodology #

Read the timelock delay (in hours) between a queued upgrade proposal and its executable state.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lombard factor RD-F-032 score red collected_at 2026-05-05 12:03:08