★ Admin = deployer EOA after 7 days
Veda (BoringVault)'s assessment for RD-F-043 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[U18 RE-CITED — score unchanged] Deployer EOA 0x0463e60c remained effective admin of the RolesAuthority from June 2024 through May 4 2026 (~23 months), far exceeding the 7-day transfer window. Transfer to TimelockController+Safe completed May 4 2026. [U18 CONFIRMED] The transfer went to a verified 3-of-5 Gnosis Safe — a proper multisig, not another EOA. Long-tail risk period is historical. Yellow because: (1) 23-month EOA period is a material historical risk; (2) the confirmed 3-of-5 receiving Safe is genuine but the current zero-delay TimelockController provides only nominal improvement over EOA-level response speed.
Sources #
- Etherscanether.fi Deployer 4 — tx history showing 23-month admin period0x0463e60c tx history: setUserRole calls through Jan 2026; most recent ownership transfer May 4 2026retrieved 2026-05-17
- TransferOwnership tx — May 4 2026tx 0xb19dec5... — final transferOwnership May 4 2026 completing governance transitionretrieved 2026-05-17
- Safe Transaction Service mainnet — transfer to verified 3-of-5 Safe (U18)Safe Transaction Service mainnet API: receiving Safe 0xD6E47E0F confirmed 3-of-5 — genuine multisig, not another EOA (U18)retrieved 2026-05-17
Methodology #
Determine whether, at t = deploy+7d, the admin address still equals the deployer EOA with no evidence of transfer to a multisig.
See the full factor methodology and distribution across all protocols →