defirisk.co
rubric v1.7.0

Proposal execution delay < 24h

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor measures the time between a governance proposal passing and when it becomes executable — the internal execution delay, distinct from the voting period. If a proposal that receives the final approving vote can be executed within 24 hours, the community has insufficient time to identify and respond to a malicious proposal that was disguised as benign during the voting period.

**Why it matters** The Sonne Finance and Radiant Capital first-incident exploits both involved governance execution windows so short that a prepared attacker could observe the vote result and front-run execution with a malicious transaction. Sonne lost $20M when an attacker front-ran the activation of a new market after the governance proposal passed. Radiant's first incident ($4.5M) involved a 6-second window between market activation and the attacker's donation-exploit transaction. An execution delay under 24 hours gives attackers who monitor governance activity a sufficient window to prepare and execute attacks before defenders can respond.

**Green / Yellow / Red** Green is assigned when the time between proposal pass and execution is at least 48 hours, providing the community and automated watchers meaningful response time. Yellow covers 24–48 hours. Red is assigned when the internal execution delay is under 24 hours, meaning a malicious proposal can be executed within one day of passing.

**Common gray cases** This factor is grayed when the protocol has no on-chain governance execution (Snapshot-only with manual multisig execution), where execution timing is not mechanically determined.

**Notable historical examples** - **Sonne Finance** ($20M, 2024): Permissionless governance execution after proposal pass; attacker front-ran market activation. - **Radiant Capital (1st incident)** ($4.5M, 2024): 6-second window between activation and exploit; no meaningful response time.

Measurement what to look for #

Determine whether the time between a governance proposal passing and its executability (including any internal delay) is less than 24 hours.

Data & output #

Data source
Governance contract `votingDelay()`, `votingPeriod()`, and timelock `getMinDelay()` via RPC
Output format
Green / Yellow / Red
Evidence artifact
Governance contract address + delay parameters + total delay hours
Confidence signal
green = total delay ≥ 48 hours; yellow = 24–47 hours; red = <24 hours; gray = no on-chain governance

Scored protocols 80 carry this factor #

Protocol RD-F-038
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum red Beefy Finance ethereum yellow BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum green Chainlink CCIP ethereum yellow Circle USYC binance not_applicable Compound V3 (Comet) ethereum green Concrete ethereum not_applicable Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum red Fluid ethereum red Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana green Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron green Kamino Lend solana red Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum red Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum red M^0 ethereum yellow Maple Finance ethereum yellow Marinade Finance solana red Meteora solana red mETH Protocol ethereum red Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum not_applicable Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana green PancakeSwap bsc red Pendle Finance ethereum not_assessed Polymarket polygon not_applicable QuickSwap polygon red Raydium solana not_applicable Rocket Pool ethereum green Sanctum solana yellow Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum red StakeWise v3 ethereum red Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum red Symbiotic ethereum not_applicable Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum yellow Venus Protocol bsc red Wormhole ethereum gray Yearn Finance ethereum green
16 red · 19 yellow · 24 green

Linked hacks 2 historical incidents #

causalSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · Proposal execution delay < 24h [via cross-hack: Factor 31: Permissionless Governance Execution Window]
causalRadiant Capital (1st incident) — Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 02024-01-02 · $5M · Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 0 · Proposal execution delay < 24h [via cross-hack: Factor 31: Permissionless Governance Execution Window]
rubric_version v1.7.0 factor RD-F-038 category 2 carried 80 critical no