Role separation: upgrade ≠ fee ≠ oracle

Multipli's assessment for RD-F-035 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

RolesAuthority defines ADMIN_ROLE, FUND_MANAGER_ROLE, ORACLE, EXTERNAL_CURATOR. However Base.s.sol initializes all with OWNER (same EOA) as authority owner who can grant all roles. Functional separation exists in architecture but all roles are grantable by single EOA owner. Assessed yellow: role architecture exists but effective separation not confirmed.

Sources #

GitHub
Base.s.sol deployment — single OWNER controls all role assignmentsBase.s.sol: new RolesAuthority(OWNER, ...) with OWNER controlling all role grantsretrieved 2026-05-17
Etherscan
RolesAuthority Avalanche — single EOA executes all role grantsSnowtrace 0xf580B985 RolesAuthority: all Set Role Capability / Set User Role calls from 0x8cFee31bretrieved 2026-05-17

Methodology #

Determine whether the upgrade role, fee-collection role, and oracle-config role are assigned to distinct addresses.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol multipli factor RD-F-035 score yellow collected_at 2026-05-17 11:48:35