★ Immutable oracle address
Circle USYC's assessment for RD-F-180 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ F180 critical-CANDIDATE per PD-017 — flag for T-14 promotion review] Partial immutability pattern: the Teller implementation has a setOracle function (ABI confirmed), so the oracle contract address is admin-swappable at the Teller level. However, within the live oracle contract (GenericNextPriceAggregator), the _reporter address is declared immutable (set at deployment to 0x9fde717a21c5b272B8956d3AA0c3551E1FFd23D7). To replace the reporter, Circle must deploy a new oracle implementation and upgrade the proxy. No timelock on the Teller setOracle call was confirmed. Score: yellow — oracle address replaceable (not fully immutable at contract level) but reporter within oracle is immutable; no timelock on oracle swap.
Sources #
- EtherscanTeller Implementation ABI - EtherscanTeller implementation at 0xF8724D6b9E6fF55Bc4496fddb3437DC691CD26EB - setOracle(address) function present in ABI confirming oracle address is admin-replaceable at Teller levelretrieved 2026-05-16
- GenericNextPriceAggregator Oracle Implementation - EtherscanGenericNextPriceAggregator at 0x6DeaA761bc131Ac5f1D562EE71819E846EF11624 - immutable address _reporter confirmed; no setter function for _reporterretrieved 2026-05-16
- 00-profile.md §6 timelock absenceProfile §6 confirms no timelock address identified - no timelock on admin actions including setOracleretrieved 2026-05-16
Methodology #
Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.
See the full factor methodology and distribution across all protocols →