defirisk.co
rubric v1.7.0

Guardian/pause-keeper distinct from upgrader

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor checks whether a distinct guardian or pause-keeper role exists in the protocol's access control system — separate from the upgrader address — and whether that role is held by an address distinct from the upgrader. The presence of a separate pauser is a role-separation signal: it means an emergency pause can be executed by a party that does not also hold upgrade authority, which limits the blast radius of a compromised pauser key.

**Why it matters** Role separation is a defense-in-depth principle: a single compromised key should grant an attacker the minimum possible authority, not all administrative powers simultaneously. When the same address or multisig is both the pauser and the upgrader, an attacker who compromises that address can not only pause the protocol (preventing user withdrawals) but also upgrade it — turning a defensive mechanism into an offensive one. Protocols that separate these roles constrain a compromised pauser to the pause action only, buying time for the legitimate governance process to respond.

**Green / Yellow / Red** Green is assigned when a guardian or pause role exists, is held by an address distinct from the upgrader, and is held by a multisig with at least a 2-of-N threshold. Yellow covers cases where the pause role is distinct from the upgrader but held by a single EOA, or where a pause mechanism exists but is gated behind the same multisig as the upgrade path. Red is assigned when no distinct pause role exists (upgrade is the only emergency mechanism) or when the pause and upgrade roles share the same controlling address.

**Common gray cases** This factor is grayed when the protocol has no pause mechanism at all (fully immutable or fully permissionless) — absence of a pause capability is its own risk dimension assessed elsewhere.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether a pauser/guardian role exists and is held by an address distinct from the upgrader address.

Data & output #

Data source
`PAUSER_ROLE` / `GUARDIAN_ROLE` member read via `getRoleMember()` + upgrader address read; compare
Output format
Green / Yellow / Red
Evidence artifact
Pauser role address + upgrader address + equality check
Confidence signal
green = distinct addresses; yellow = same contract intermediary but different signing key; red = same address holds both roles; gray = no pause functionality present

Scored protocols 80 carry this factor #

Protocol RD-F-034
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum green Beefy Finance ethereum yellow BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance red Compound V3 (Comet) ethereum green Concrete ethereum red Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum yellow Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum gray Hyperliquid arbitrum green Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc red Lombard Finance ethereum green M^0 ethereum yellow Maple Finance ethereum green Marinade Finance solana green Meteora solana yellow mETH Protocol ethereum green Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum yellow Ondo Finance ethereum yellow OpenEden ethereum green Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon red QuickSwap polygon red Raydium solana yellow Rocket Pool ethereum green Sanctum solana yellow Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar yellow Stake DAO ethereum yellow StakeWise v3 ethereum red Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid red SUNSwap (sun.io) tron green Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum red Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum yellow Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum yellow
8 red · 33 yellow · 27 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-034 category 2 carried 80 critical no