Timelock on sensitive actions

Compound V3 (Comet)'s assessment for RD-F-033 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Upgrade: timelocked (CometProxyAdmin.owner = Timelock). Oracle config (Configurator): timelocked. Market params: timelocked. Fund drain (approveThis, withdrawReserves): timelocked (governor = Timelock). Pause: NOT timelocked (Community MultiSig direct pause, by design as emergency mechanism). 4 of 5 sensitive action classes timelocked; pause intentionally exempt.

Sources #

Etherscan
https://etherscan.io/address/0x1EC63B5883C3481134FD50D5DAebc83Ecd2E8779retrieved 2026-04-28
Docs
https://docs.compound.finance/governance/retrieved 2026-04-28
GitHub
https://github.com/compound-finance/comet/blob/main/contracts/CometMainInterface.solretrieved 2026-04-28

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol compound-v3 factor RD-F-033 score yellow collected_at 2026-04-28 00:20:50