Timelock on sensitive actions
Beefy Finance's assessment for RD-F-033 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Strategy upgrades (upgradeStrat): YES, 6h vault-level delay. panic(): NO timelock, immediate by onlyManager. inCaseTokensGetStuck(): NO timelock, immediate by onlyOwner. setKeeper(): NO timelock, immediate by onlyManager. Fee config setters: NO timelock. BIFI token: no admin-callable sensitive functions remain. Multiple sensitive actions lack timelock coverage.
Sources #
- GitHubBaseAllToNativeFactoryStrat.sol — panic() no timelockBaseAllToNativeFactoryStrat.sol panic() public onlyManager — no timelock modifierretrieved 2026-05-16
- BeefyVaultV7.sol — inCaseTokensGetStuck no timelockBeefyVaultV7.sol inCaseTokensGetStuck() external onlyOwner — no timelock modifierretrieved 2026-05-16
- Beefy StratFeeManager Contract DocumentationStratFeeManager setters (setBeefyFeeConfig, setUnirouter) onlyOwner with no timelock documentedretrieved 2026-05-16
Methodology #
For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol beefy factor RD-F-033 score yellow collected_at 2026-05-16 13:10:30