★ Immutable oracle address
mETH Protocol's assessment for RD-F-180 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL-CANDIDATE — held per PD-017; flag for T-14 post-launch promotion review] Oracle address in Staking.sol is declared as 'IOracleReadRecord public oracle' — a regular storage variable, NOT EVM immutable keyword. No setOracle() admin function exists: oracle cannot be replaced via a direct admin call. However, Staking is a TransparentUpgradeableProxy (impl 0x01a360392c74b5b8bf4973f438ff3983507a06a2, upgraded 2025-10-30): oracle address CAN be changed via proxy upgrade. Upgrade path: Protocol Admin Safe (3-of-8) -> TimelockController (minDelay=0s) -> upgrade. TimelockController has zero delay, meaning oracle could theoretically be changed in a single multisig transaction without any enforced user-exit window. This is YELLOW not RED: no EVM immutable keyword, and an upgrade path exists. Less severe than USD0++/USR (truly EVM-immutable oracle with no upgrade path). Curator must verify current TimelockController minDelay post-deploy.
Sources #
- EtherscanTimelockController — minDelay=0TimelockController 0xc26016f1166bE7b6c5611AAB104122E0f6c2aCE2 — minDelay=0 per constructor args (no enforced delay on upgrades)retrieved 2026-05-16
- Staking proxy — TransparentUpgradeableProxyStaking proxy 0xe3cBd06D7dadB3F4e6557bAb7EdD924CD1489E8f — TransparentUpgradeableProxy, impl last upgraded 2025-10-30retrieved 2026-05-16
- Staking implementation — oracle storage declarationStaking implementation 0x01a360392c74b5b8bf4973f438ff3983507a06a2 — 'IOracleReadRecord public oracle' declaration, no setOracle() function visibleretrieved 2026-05-16
Methodology #
Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.
See the full factor methodology and distribution across all protocols →