Timelock on sensitive actions

mETH Protocol's assessment for RD-F-033 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

TimelockController exists and is structurally integrated (Security Council Safe as PROPOSER). However, minDelay=0 means the timelock provides no delay-based protection. Sensitive actions (upgrades, parameter changes) nominally route through the TimelockController but can execute immediately. Effectively functions as an organizational access-control layer without temporal protection.

Sources #

Etherscan
TimelockController — proxy admin for core contractsTimelockController 0xc26016... minDelay=0; mETH token proxy admin = TimelockController; Staking proxy admin = TimelockControllerretrieved 2026-05-16
GitHub
mETH Protocol Timelock role structurerenounce_for_public.s.sol confirms Security Council Safe as PROPOSER on Timelock — routing is in place but delay is zeroretrieved 2026-05-16

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol meth-protocol factor RD-F-033 score yellow collected_at 2026-05-16 02:17:50