Security-Council threshold reduction (RT)
Spiko's assessment for RD-F-182 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Signal directly applicable: Spiko's UUPS proxies are controlled by super-admin Safe 0xEBB418e1f8E8F26BdF7816A2cD25bE87c040E425 (2-of-5 per invocation context). A threshold reduction (e.g., 2-of-5 → 1-of-5) or signer addition within 14 days would be the trigger. Current posture: an execTransaction was observed ~9 days ago; specific function called could not be decoded via public WebFetch (JS-rendered). No confirmed threshold change identified. No timelock exists to delay execution post-Safe-approval. A threshold reduction would directly enable a single-signer upgrade of $1.2B in protocol TVL — the Drift Protocol ($285M) was preceded by exactly this pattern (3/5 → 2/5). Signal is T-09 v1.1 candidate; production monitoring requires Safe contract event subscription on 0xEBB418.
Sources #
- InternalSpiko profile — admin control and timelock absence00-profile.md §6: no timelock confirmed (governance.timelock_address null); super-admin multisig has full access to upgrade contracts and manage permissionsretrieved 2026-05-16
- Spiko super-admin Safe — transaction historyGnosisSafeProxy 0xEBB418e1f8E8F26BdF7816A2cD25bE87c040E425 — last execTransaction ~9 days ago; function not decodable via public HTMLretrieved 2026-05-16
- Taxonomy v1.1 batch-24 — RD-F-182 definition and rationaleTaxonomy batch-24 RD-F-182: Drift Protocol Apr 2026 — 3/5 → 2/5 SC threshold change + timelock removal, 6 days before $285M DPRK exploit. Signal defined in Cat 6B.retrieved 2026-05-16
Methodology #
Detect in real-time whether the bridge/protocol Security Council multisig executes a threshold reduction (e.g. 3/5 → 2/5), timelock removal, or new-signer addition within ≤14 days of either of those events.
See the full factor methodology and distribution across all protocols →