★ Sudden admin-rescue/ACL change without discussion

Axelar Network's assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two findings assessed: (1) Governance Proposal 256 (disabled Chain Maintainer auto-deregistration) — followed a 5-month Immunefi responsible-disclosure process; went through the public Cosmos x/gov vote. Not an unannounced admin rescue — clear prior disclosure trail. (2) EVM custom Multisig (0xCC940AE49C78F20E3F13F3cF37e996b98Ac3EC68): signerEpoch=3 at assessment date, meaning at least 2 signer rotations since Oct 2023 deployment. Public forum discussion corresponding to these EVM-side signer rotations was not located. Rate limits set via 'governed multisig' for emergency speed (per docs). Circle acquisition (Dec 2025) was fully disclosed publicly with successor developer (Common Prefix) named. The EVM multisig rotation documentation gap (not the Cosmos governance path) is the basis for yellow rather than green.

Sources #

Docs
EVM Contract Governance | Axelar DocsEVM governance docs: rate limits set via governed multisig for emergency speed, changeable by on-chain governance — implies multisig acts before governance vote in emergency scenariosretrieved 2026-05-17
URL
Halting Cross-chain: Axelar Network Vulnerability Disclosure | Marco HextorProposal 256 context: vulnerability disclosure, 5-month Immunefi mediation, $50k bounty, public Cosmos x/gov resolution — documented prior discussionretrieved 2026-05-17
Etherscan
Axelar: Multisig | Address 0xCC940AE49C78F20E3F13F3cF37e996b98Ac3EC68 | EtherscanCustom Multisig 0xCC940AE49C78F20E3F13F3cF37e996b98Ac3EC68: signerEpoch=3, deployed 2023-10-20, last activity Jan 4 2026; SignersRotated event confirms rotations occurredretrieved 2026-05-17
URL
Circle Signs Agreement to Acquire Interop Labs Team & IP | Axelar BlogCircle acquisition Dec 2025 announced publicly on Axelar blog — orderly transition, Common Prefix named as successor developerretrieved 2026-05-17

Methodology #

Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-123 score yellow collected_at 2026-05-16 21:57:49