★ Sudden admin-rescue/ACL change without discussion
Chainlink CCIP's assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
CCIP admin changes flow through the documented MCMS -> RBACTimelock (2-day minimum delay) -> node-operator veto pathway, providing on-chain transparency. However, no public governance forum (Snapshot, Commonwealth, Tally) exists for CCIP configuration changes. Major version upgrades (v1.5 Jan 2025, v1.6 May 2025) were blog-announced coincident with deployment ('is now live' language), not with a 14+ day pre-deployment public discussion period. Dev changelog shows only lane deprecation/addition entries, no ACL change entries. No evidence of emergency admin-rescue or out-of-timelock ACL change found. Yellow: structural gap in off-chain pre-announcement discipline; not an insider-implant signal. The bypasser role (0x177A2884D8d3F78d9b4C758a7EA7f86d42920c2d) use history not checked at this tier — governance-admin-analyst should verify.
Sources #
- URLCCIP v1.6 Is Now Live | Chainlink BlogCCIP v1.6 launch blog — 'is now live' announcement language; no prior forum discussion windowretrieved 2026-05-16
- CCIP Upgradability / Governance | Chainlink DocumentationCCIP upgradability docs — describes MCMS + RBACTimelock process; on-chain transparency cited; no off-chain pre-announcement forum mentionedretrieved 2026-05-16
- Changelog and Releases | ChainlinkChainlink dev changelog — no ACL/access-control change entries found; only lane deprecation/addition entriesretrieved 2026-05-16
Methodology #
Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.
See the full factor methodology and distribution across all protocols →