Timelock on sensitive actions

Symbiotic's assessment for RD-F-033 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No timelock on any sensitive action type. Factory whitelist (implementation addition) is immediately executable by Safe owner. DefaultCollateral limitIncreaser increaseLimit() executes immediately. No mint/pause/rescue/setOracle/upgrade are timelocked. The protocol has no TimelockController.

Sources #

GitHub
DefaultCollateral.sol — increaseLimit() no timelockDefaultCollateral.sol — increaseLimit() callable directly by limitIncreaser with no delayretrieved 2026-05-16
GitHub
MigratablesFactory.sol — sensitive actions without timelockMigratablesFactory.sol whitelist() — onlyOwner, no timelock; DefaultCollateral.sol increaseLimit() — onlyLimitIncreaser, no timelockretrieved 2026-05-16

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol symbiotic factor RD-F-033 score red collected_at 2026-05-16 09:25:24