defirisk.co
rubric v1.7.0

Hot-patch deploys without timelock (last 30 days)

Stake DAO's assessment for RD-F-138 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

veSDT upgraded 2026-04-27 — whether this went through the 8h timelock is not confirmed. PROXY_ADMIN owner unconfirmed. If direct upgrade by PROXY_ADMIN owner without queue/execute, this is a hot-patch bypassing timelock. Cannot confirm all upgrades in last 30 days are timelocked.

Sources #

  • Etherscan
    Stake DAO PROXY_ADMINPROXY_ADMIN controls transparent proxy upgrades; owner unconfirmed — may not route through timelockretrieved 2026-05-16
  • Etherscan
    veSDT Proxy Upgrade HistoryveSDT proxy upgrade 2026-04-27 confirmed on Etherscan; timelock path not confirmed for this upgraderetrieved 2026-05-16

Methodology #

Count upgrades executed in the last 30 days without going through the declared timelock path.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-138 score yellow collected_at 2026-05-16 12:29:20