defirisk.co
rubric v1.7.0

Single admin EOA

Save (formerly Solend)'s assessment for RD-F-027 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] Main program upgrade_authority = RY93CZYe5g6drtG7W9PmHRPzaBLZ1uwihTzayQTmJfh (on-chain ProgramData, is_on_curve: True = single keypair). Eclipse wrapper upgrade_authority BownY7uPxZ5jLjBxPNvqaWa3VD9WJvwQEUYVC5sERzET also on-curve. Docs-stated key 2Fwvr3MKhHhqakgjjEWcpWZZabbRCetHjukHi1zfKxjk also on-curve (discrepancy noted). Neodyme confirmed 'Solend is using a hot wallet' — 'this entity has complete control over the funds the contract holds.' Single private key can push arbitrary bytecode to $79.5M lending program; no multisig, no timelock.

Sources #

  • URL
    Neodyme — Solana Upgrade Authority Risk AnalysisNeodyme blog — 'Why Auditing the Code is Not Enough: A Discussion on Solana Upgrade Authorities' — confirms Solend uses hot wallet upgrade authority 2Fwvr3MK... (docs-stated; on-chain is RY93CZYe5g6...)retrieved 2026-05-17
  • Internal
    Save profile — grade-decisive governance fact.research/protocols/save/00-profile.md §3 [ON-CHAIN AUTHORITATIVE] and §11 [GRADE-DECISIVE] — upgrade_authority = RY93CZYe5g6drtG7W9PmHRPzaBLZ1uwihTzayQTmJfh, is_on_curve: True per Phase-0.5 anti-drift #12retrieved 2026-05-17

Methodology #

Determine whether the effective upgrade/owner/rescue role is held by a single EOA (not a multisig) with no timelock on sensitive operations.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol save factor RD-F-027 score red collected_at 2026-05-17 15:20:15