defirisk.co
rubric v1.7.0

Signer rotation recency

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records the number of months since the most recent signer-set change on the protocol's governance multisig — including any addition or removal of a signer, or a change to the threshold. A long-dormant signer set is a stale-key risk: signers who departed the team may retain active keys, and uncirculated keys have an accumulating exposure window. The v1.1 extension notes that the direction of the change matters: a threshold reduction combined with a new signer addition within a short window is a precursor pattern for targeted key compromise attacks.

**Why it matters** Signer sets that have not been rotated in 12 or more months represent an operational security gap. Team members depart, key storage disciplines lapse, and the probability of at least one key in a stagnant set being compromised grows over time. The Gala Games exploit involved an admin key that had been dormant for over 30 days, a pattern that correlated with reduced operational vigilance. Force Bridge and OKX DEX both show that decommissioned or stale infrastructure retaining active credential authority is a persistent attacker target.

**Green / Yellow / Red** Green is assigned when a signer rotation or threshold review has occurred within the past 12 months, or when the protocol uses a smart-contract-based signer registry with automatic expiry. Yellow covers 12–24 months since last rotation with no evidence of key compromise. Red is assigned when the signer set has not been reviewed or rotated in more than 24 months, or when a recent change shows a threshold reduction without a corresponding security review.

**Common gray cases** This factor is grayed when the multisig signer set is not public and on-chain transaction data does not resolve the last-rotation date.

**Notable historical examples** - **Gala Games** ($21.8M, 2024): Admin key dormant for extended period; compromise via unauthorized access to a dormant signing credential. - **OKX DEX** ($2.7M, 2023): Deprecated proxy admin key not rotated or revoked; key was live on decommissioned infrastructure. - **Force Bridge** ($3.76M, 2025): Key on sunset infrastructure exploited immediately after sunset announcement. - **GANA Payment** ($3.1M, 2025): Stale onlyEOA pattern combined with EIP-7702 exploit on nine-day-old protocol.

Measurement what to look for #

Measure the number of months since the most recent signer-set change (add/remove signer) on the admin multisig; flag if threshold was reduced within 14 days of a timelock removal or new-signer addition.

Data & output #

Data source
`AddedOwner`/`RemovedOwner`/`ChangedThreshold` events on Safe/Gnosis contract via RPC event log
Output format
Green / Yellow / Red
Evidence artifact
Event log of signer-set changes + timestamps + threshold-reduction flag if applicable
Confidence signal
green = no signer change in last 90 days OR change was threshold-increase; yellow = signer change within 90 days (routine rotation); red = threshold reduction within 14 days of timelock removal or new-signer add (DPRK-precursor pattern); gray = multisig contract not identifiable

Scored protocols 80 carry this factor #

Protocol RD-F-031
Aave v3 ethereum yellow Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum gray BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum gray Circle USYC binance yellow Compound V3 (Comet) ethereum green Concrete ethereum yellow Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum green deBridge ethereum green Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum not_assessed ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum yellow Fluid ethereum not_applicable Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum green Hyperliquid arbitrum yellow Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana not_assessed JustLend DAO tron not_applicable Kamino Lend solana gray Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc green Lombard Finance ethereum gray M^0 ethereum not_applicable Maple Finance ethereum green Marinade Finance solana green Meteora solana gray mETH Protocol ethereum yellow Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum yellow Ondo Finance ethereum green OpenEden ethereum gray Orca solana gray PancakeSwap bsc gray Pendle Finance ethereum gray Polymarket polygon yellow QuickSwap polygon yellow Raydium solana yellow Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar gray Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron gray Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum gray Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum yellow Venus Protocol bsc gray Wormhole ethereum gray Yearn Finance ethereum green
0 red · 20 yellow · 26 green

Linked hacks 4 historical incidents #

causalGANA Payment — Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass)2025-11-20 · $3M · Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass) · Signer rotation recency [via cross-hack: Factor 56: Dormant Admin Key > 30 Days]
causalForce Bridge (Nervos Network) — Access control compromise — admin key leak → privileged unlock() drain across two chains2025-06-01 · $4M · Access control compromise — admin key leak → privileged unlock() drain across two chains · Signer rotation recency [via cross-hack: Factor 56: Dormant Admin Key > 30 Days]
causalGala Games (GALA token contract) — Compromised Admin Account — Unauthorized Token Minting2024-05-21 · $22M · Compromised Admin Account — Unauthorized Token Minting · Signer rotation recency [via cross-hack: Factor 56: Dormant Admin Key > 30 Days]
causalOKX DEX (OKX Decentralized Exchange Aggregator) — Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals2023-12-13 · $3M · Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals · Signer rotation recency [via cross-hack: Factor 56: Dormant Admin Key > 30 Days]
rubric_version v1.7.0 factor RD-F-031 category 2 carried 80 critical no