Role separation: upgrade ≠ fee ≠ oracle

USDD (Decentralized USD)'s assessment for RD-F-035 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The canonical Ethereum wards system (0x4f8e5de400de08b164e7421b3ee387f461becd1a, source-verified) grants all permissions (mint, burn, and potentially oracle/pause control) to each ward address — no role separation by design. MakerDAO-style wards is a single-permission-layer architecture. Yellow rather than red because the ward set may in practice include addresses with different operational functions, but this is undisclosed.

Sources #

Etherscan
USDD canonical ERC-20 verified source — wards systemEtherscan verified source 0x4f8e5de400de08b164e7421b3ee387f461becd1a (canonical, Exact Match) — single wards mapping controls all functionsretrieved 2026-05-17

Methodology #

Determine whether the upgrade role, fee-collection role, and oracle-config role are assigned to distinct addresses.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol usdd factor RD-F-035 score yellow collected_at 2026-05-17 11:34:18