defirisk.co
rubric v1.7.0

Role separation: upgrade ≠ fee ≠ oracle

Chainlink CCIP's assessment for RD-F-035 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Role separation exists at multiple layers: RBACTimelock has distinct proposer (MCMS 0x20D64e...), canceller/bypasser (MCMS 0x177A28...), and admin (0x16B534...) roles. FeeQuoter uses AuthorizedCallers for price updates (separate from owner). OnRamp uses AllowlistAdmin role for sender allowlists. Rate-limit admin is a distinct role. All critical roles ultimately trace to MCMS contracts controlled by Chainlink Labs — some centralization exists at the entity level, but role architecture is separated.

Sources #

  • Etherscan
    CCIP RBACTimelock — Etherscan rolesRBACTimelock role holders — proposer: 0x20D64e2a..., bypasser: 0x177A2884..., admin: 0x16B5346E..., cancellers include 0xF99af744... and 0x177A2884...retrieved 2026-05-16
  • GitHub
    FeeQuoter.sol — Code4rena 2024-11-chainlinkFeeQuoter.sol — AuthorizedCallers for price updates separate from owner; OnRamp.sol — AllowlistAdmin separate from ownerretrieved 2026-05-16

Methodology #

Determine whether the upgrade role, fee-collection role, and oracle-config role are assigned to distinct addresses.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-035 score green collected_at 2026-05-16 01:55:09