Timelock on sensitive actions
Concrete's assessment for RD-F-033 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No timelock on any sensitive action. ConcreteFactory approveImplementation, blockImplementation, and factory upgrade are all gated only by onlyOwner (the 3-of-5 Safe) with no timelock modifier. VaultProxy upgrades execute immediately. No emergency pause with timelock. No oracle config function in ConcreteFactory (oracles are at strategy level).
Sources #
- EtherscanConcreteFactory owner Safe — Etherscan (no timelock interactions)Safe tx history: all 26 transactions are direct execTransaction with no TimelockController interactionsretrieved 2026-05-17
- ConcreteFactory.sol — GitHub raw source (onlyOwner gates, no timelock)ConcreteFactory.sol: all sensitive functions gated by onlyOwner only; no TimelockController import or usage; _authorizeUpgrade also only onlyOwnerretrieved 2026-05-17
Methodology #
For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol concrete factor RD-F-033 score red collected_at 2026-05-17 14:36:59