Timelock on sensitive actions

Ondo Finance's assessment for RD-F-033 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[PD-042 rescore 2026-05-12, v1.7.0+] Timelock on admin actions is incompatible with the regulatory response model: the issuer must be able to act immediately on court-ordered freeze, sanctions compliance, or fund-rules changes. Scored not_applicable per PD-042 (Cat 2 RWA-issuer subset). Residual operational risk of key compromise is captured by multisig-coverage factors (yellow rather than N/A). ORIGINAL EVIDENCE (preserved from v1.6.0 grading): Layer A: No timelock on mint, pause, retrieveTokens, setOracle, or upgrade for OUSG/USDY/InstantManager contracts. The dominant $3.5B+ TVL operates with no timelock protection. Layer B (Flux Finance): 24h timelock only.

Sources #

GitHub
https://github.com/ondoprotocol/usdy/blob/main/contracts/RWAHub.solretrieved 2026-04-28
Etherscan
https://etherscan.io/address/0x2c5898da4DF1d45EAb2B7B192a361C3b9EB18d9cretrieved 2026-04-28
GitHub
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.solretrieved 2026-04-28

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ondo-finance factor RD-F-033 score not_applicable collected_at 2026-05-14 12:01:55