defirisk.co
rubric v1.7.0

Sudden admin-rescue/ACL change without discussion

Veda (BoringVault)'s assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No public governance forum exists for any Veda vault (no Snapshot, no Tally, no forum URL in docs or data cache). Merkle-root updates — which expand or modify the vault's permitted strategy actions, constituting functional ACL changes — are regularly committed to boring-vault main (e.g., 'update sonicLBTCv root', 'sei liquidUSD root', 'remove wrong address') without corresponding public discussion issues or PRs. The boring-vault GitHub issues page shows no open issues. Veda's documentation acknowledges this as the intended per-vault curator model (configurable: unilateral curator, pending-review period, or restricted). No emergency admin-rescue event (sudden owner change, unexpected RolesAuthority transfer) was detected in the 180-day lookback. Yellow (not red) because: (a) the operational model is disclosed, not covert; (b) no emergency admin-rescue event was detected; (c) routine merkle-root updates are the documented operating mode. The structural absence of any public discussion me

Sources #

  • GitHub
    Veda-Labs/boring-vault — Commit Historyboring-vault commit log showing merkle-root updates merged without corresponding issue/PR discussion: 'update sonicLBTCv root', 'sei liquidUSD root', 'remove wrong address'retrieved 2026-05-17
  • Internal
    Veda 00-profile.md §6 — governance topology00-profile.md §6: governance.type=unknown, snapshot_space=null, governor_address=null confirming no public governance forumretrieved 2026-05-17
  • Docs
    Smart Contract Security — Veda DocsVeda docs: smart-contract-security page confirms merkle root updates are configurable: curator may be granted unilateral update authority, pending-review, or restrictedretrieved 2026-05-17

Methodology #

Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol veda factor RD-F-123 score yellow collected_at 2026-05-17 12:41:22