defirisk.co
rubric v1.7.0

Rescue/emergencyWithdraw without timelock

Meteora's assessment for RD-F-041 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Squads v3 has no on-chain timelock — all admin operations (including any pool-drain or config-reset equivalent) execute with 0 on-chain delay after threshold approval. DBC set_pool_status (disable pools) is callable by admin without timelock. No confirmed dedicated emergencyWithdraw function found in DLMM public source, but all admin functions share the same untimed execution path. Multiple signer approvals required (multisig enforced), preventing single-key instant drain. Yellow vs red: multisig threshold protection mitigates single-actor immediate drain, but zero on-chain delay remains.

Sources #

  • URL
    Meteora Community Call Recap April 2024Meteora community call April 2024 — governance intent stated, program update authority under teamretrieved 2026-05-16
  • GitHub
    DAMM v2 GitHubMeteoraAg/damm-v2 README — set_pool_status admin function with no delayretrieved 2026-05-16
  • Internal
    Solana Governance Verification MethodologySOLANA_GOVERNANCE.md — no time_lock in Squads v3; all operations immediate after thresholdretrieved 2026-05-16

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol meteora factor RD-F-041 score yellow collected_at 2026-05-16 10:03:05