★ Rescue/emergencyWithdraw without timelock

Superstate's assessment for RD-F-041 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[STAR in scope] No discrete rescue() or emergencyWithdraw() function found in SuperstateToken.sol. However, adminBurn(address src, uint256 amount) allows the owner to burn tokens from any address without timelock - a functionally analogous unilateral value-destruction capability for an RWA token. pause() halts all transfers instantly. No on-chain timelock on any of these. Scored yellow not red: (1) tokens represent off-chain fund shares with legal accountability, (2) adminBurn is legally constrained by SEC regulations, (3) no transfer() to admin (drain to self) pattern exists.

Sources #

GitHub
SuperstateToken.sol - adminBurn and Pause FunctionsSuperstateToken.sol: adminBurn(address src, uint256 amount) restricted to _checkOwner(); no timelock; pause() also owner-only with no delay; no rescue() or emergencyWithdraw()retrieved 2026-05-16
Docs
Superstate Documentation - Admin Burn CapabilityDocs: 'forcibly burning an investor's tokens (if required by exogenous legal circumstances)' - owner-level capability, no delay statedretrieved 2026-05-16

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol superstate factor RD-F-041 score yellow collected_at 2026-05-16 00:06:37