Emergency-veto multisig present

Chainlink CCIP's assessment for RD-F-040 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two veto mechanisms: (1) Node operators securing CCIP can veto any proposal during the 2-day RBACTimelock review window; (2) RMN can curse/halt all lanes independently of admin. Both are distinct from the upgrade/config admin path.

Sources #

Docs
Onchain Architecture - Upgradability (EVM) | Chainlink DocumentationChainlink upgradability docs — node operators can veto proposals during review period; RMN provides independent halt capabilityretrieved 2026-05-16
URL
CCIP Risk Management Network | Chainlink BlogChainlink RMN blog — RMN can issue curse to halt all CCIP lanes globallyretrieved 2026-05-16

Methodology #

Determine whether an emergency-veto or guardian multisig exists with power to cancel malicious proposals before execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-040 score green collected_at 2026-05-16 01:55:09