defirisk.co
rubric v1.7.0

Timelock duration on upgrades

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records the timelock delay between a queued and executable upgrade proposal, measured in hours. The value is read directly from the TimelockController or equivalent contract's minDelay parameter. For protocols without an on-chain timelock, the value is zero. This is the temporal window available to users to exit a protocol before a potentially malicious upgrade takes effect.

**Why it matters** Timelocks are the primary mechanism by which depositors can exit a protocol before a malicious governance action executes. OpenZeppelin's timelock guidance frames the delay as the period during which "the community can better understand and review changes" — but for risk dashboard purposes, it is equally the window in which users can withdraw funds after identifying a malicious queued transaction. Ten protocols in the evidence base show a zero or near-zero timelock as a contributing factor to their exploit, because the admin action was either instant or faster than any user's practical exit speed.

**Green / Yellow / Red** Green is assigned when the upgrade timelock is at least 48 hours for protocols under $100M TVL, or at least 72 hours for protocols above $100M TVL. Yellow covers 12–48 hours. Red is assigned when the timelock is zero (instant execution) or under 12 hours on any sensitive action category.

**Common gray cases** This factor is grayed when the protocol has no upgradeable contracts (immutable architecture), where a timelock duration is technically not applicable.

**Notable historical examples** - **EasyFi** ($59M, 2021): Zero timelock on admin key; single-transaction drain upon key compromise. - **Orange Finance** ($843K, 2025): No timelock on 1-of-1 multisig; complete drain executed without delay. - **BrincFi** ($1.1M, 2021): Head of development held full upgrade authority with no timelock; executed drain. - **OKX DEX** ($2.7M, 2023): Deprecated proxy admin key with no timelock on token approval contract.

Measurement what to look for #

Read the timelock delay (in hours) between a queued upgrade proposal and its executable state.

Data & output #

Data source
`TimelockController.getMinDelay()` or equivalent via RPC; cross-check with governance docs
Output format
Green / Yellow / Red
Evidence artifact
Timelock contract address + `getMinDelay()` return value in seconds + hours-converted
Confidence signal
green = ≥48 hours; yellow = 24–47 hours; red = <24 hours or no timelock; gray = upgrade path does not use a public timelock contract

Scored protocols 80 carry this factor #

Protocol RD-F-032
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base red Axelar Network ethereum green Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum red Beefy Finance ethereum yellow BENQI avalanche red BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance red Compound V3 (Comet) ethereum yellow Concrete ethereum red Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum red Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum yellow Ethena ethereum red ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum red Fluid ethereum red Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum red Jito solana yellow Jupiter solana red Jupiter Perpetual Exchange solana yellow JustLend DAO tron green Kamino Lend solana red Kinetiq hyperliquid red Lido ethereum green Liquid Collective (LsETH) ethereum red Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc yellow Lombard Finance ethereum red M^0 ethereum yellow Maple Finance ethereum yellow Marinade Finance solana red Meteora solana red mETH Protocol ethereum red Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum red Ondo Finance ethereum yellow OpenEden ethereum red Orca solana yellow PancakeSwap bsc yellow Pendle Finance ethereum red Polymarket polygon red QuickSwap polygon red Raydium solana yellow Rocket Pool ethereum green Sanctum solana red Save (formerly Solend) solana red Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum yellow Spiko stellar red Stake DAO ethereum red StakeWise v3 ethereum red Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid red SUNSwap (sun.io) tron red Superstate ethereum red Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum red Symbiotic ethereum red Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron red Usual (USD0 / bUSD0 / USUAL) ethereum red Veda (BoringVault) ethereum red Venus Protocol bsc red Wormhole ethereum gray Yearn Finance ethereum green
38 red · 25 yellow · 12 green

Linked hacks 11 historical incidents #

relatedIoTeX (ioTube Bridge) — Private key compromise → malicious contract upgrade → TokenSafe drain + MinterPool abuse2026-02-21 · $4M · Private key compromise → malicious contract upgrade → TokenSafe drain + MinterPool abuse · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
relatedHacken ($HAI token) — Bridge private key leak from decommissioned server → unauthorized token minting → dump2025-06-20 · $170K · Bridge private key leak from decommissioned server → unauthorized token minting → dump · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
relatedForce Bridge (Nervos Network) — Access control compromise — admin key leak → privileged unlock() drain across two chains2025-06-01 · $4M · Access control compromise — admin key leak → privileged unlock() drain across two chains · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
relatedOrange Finance — Admin private key compromise → proxy upgrade → privileged drain of LP vault positions2025-01-07 · $844K · Admin private key compromise → proxy upgrade → privileged drain of LP vault positions · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
relatedGrand Base — Deployer wallet private key leak → unauthorized token minting → dump2024-04-15 · $2M · Deployer wallet private key leak → unauthorized token minting → dump · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
relatedOKX DEX (OKX Decentralized Exchange Aggregator) — Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals2023-12-13 · $3M · Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
relatedRocketSwap — Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions2023-08-14 · $869K · Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
illustrativeRaydium — Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation2022-12-16 · $4M · Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
relatedBrincFi — Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade2021-12-14 · $1M · Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
relatedSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
relatedEasyFi (Easy Network) — Admin key theft via compromised machine (malicious MetaMask binary)2021-04-19 · $59M · Admin key theft via compromised machine (malicious MetaMask binary) · Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
rubric_version v1.7.0 factor RD-F-032 category 2 carried 80 critical no