UUPS _authorizeUpgrade correctly permissioned

Stake DAO's assessment for RD-F-021 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No UUPS upgradeable contracts identified among inspected core contracts. vlSDT is non-upgradeable. veSDT uses TransparentUpgradeableProxy (not UUPS). CurveYCRVVoter is non-upgradeable. LaPoste uses a custom proxy pattern. UUPS pattern not present in core audited surface.

Sources #

Etherscan
veSDT Proxy EtherscanveSDT 0x0C30476f66034E11782938DF8e4384970B6c9e8a — TransparentUpgradeableProxy (not UUPS)retrieved 2026-05-16
Etherscan
vlSDT Etherscan Source — Non-UpgradeablevlSDT 0x94818A7baa7e9F5dC62ce4da1B52ef9a760b80B8 — non-upgradeable, standard constructorretrieved 2026-05-16

Methodology #

Determine whether the UUPS implementation defines `_authorizeUpgrade(address)` restricted to owner/admin/timelock (not open to arbitrary callers).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-021 score not_applicable collected_at 2026-05-16 12:29:20