Timelock on sensitive actions

Polymarket's assessment for RD-F-033 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No timelock on any of the five sensitive action categories. mint (owner grants MINTER_ROLE, no timelock); pause (direct admin call, no timelock); rescue (no function); setOracle (UMA adapter reset direct, emergencyResolve has 2-day flagging delay only); upgrade (pUSD UUPS _authorizeUpgrade onlyOwner, no timelock).

Sources #

GitHub
CollateralToken.sol — _authorizeUpgrade onlyOwner (no timelock); addMinter onlyOwnerPolymarket/ctf-exchange-v2/src/collateral/CollateralToken.solretrieved 2026-04-29
GitHub
Auth.sol — no timelock mechanism; addAdmin/addOperator execute immediatelyPolymarket/ctf-exchange-v2/src/exchange/mixins/Auth.solretrieved 2026-04-29

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol polymarket factor RD-F-033 score red collected_at 2026-04-29 16:25:39