defirisk.co
rubric v1.7.0

Sudden admin-rescue/ACL change without discussion

Concrete's assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CRITICAL ★ — YELLOW. ConcreteFactory proxy (0x0265d73a) received an implementation upgrade ~March 19 2026 (block 24692293, 58 days before assessment) and vault proxy ctDeFiUSDT was upgraded ~May 6 2026. Both upgrades were executed via the ConcreteFactory's owner: a 3-of-5 Gnosis Safe (0xdc29BD10CB9000dffBb5aAcD30606c66f07c866C, Safe v1.4.1, threshold=3, 5 owners, nonce=26), on-chain-verified via the Safe Transaction Service API by code-security and governance-admin specialists using the U18-correct method. CORRECTION (U3 cross-specialist fact): a prior version of this assessment stated the upgrade authority was the deployer EOA (0x1fa1c72a) acting as a single EOA admin with no multisig. That framing was an un-derived assumption, now corrected. The deployer EOA is the historical deployer; the 3-of-5 Gnosis Safe is the live admin authority executing upgrades via execTransaction. No public governance forum exists; no Snapshot space; no GitHub issue or PR preceding these upgrades was found

Sources #

  • Etherscan
    ConcreteFactory proxy — Etherscan upgrade eventsConcreteFactory proxy Etherscan — 2 recorded implementation upgrades; most recent block 24692293 (~58 days ago); upgrade events confirmed on-chainretrieved 2026-05-17
  • URL
    ConcreteFactory admin — Gnosis Safe 3-of-5 (Safe Transaction Service API)Safe Transaction Service API — ConcreteFactory admin Safe 0xdc29BD10CB9000dffBb5aAcD30606c66f07c866C; Safe v1.4.1, threshold=3, 5 owners, nonce=26; verified by code-security and governance-admin specialists via U18-correct methodretrieved 2026-05-17
  • Internal
    00-profile.md §6 — governance topologyProfile §6 — no governance forum found; snapshot_space: null; no Tally, no Governor; admin authority is the 3-of-5 Gnosis Safe per cross-specialist derivationretrieved 2026-05-17

Methodology #

Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol concrete factor RD-F-123 score yellow collected_at 2026-05-17 14:36:59