★ Immutable oracle address
Concrete's assessment for RD-F-180 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL — F180 PD-017 CANDIDATE, compose-counted] GREEN. No oracle address of any kind exists in Concrete's vault contracts — neither immutable, nor admin-replaceable. The 19 Chainlink feed addresses in the data cache belong to external strategy protocols (Aave, Morpho, Silo) consumed by those protocols' own contracts. Concrete's vault bytecode (ConcreteStandardVaultImpl, AllocateModule, BaseStrategy) contains zero oracle address constants, no oracle interface imports, and no oracle function calls. There is nothing to be immutable. Source inspections of all three core contracts confirmed. Halborn V2 audit (Sep 2025) found zero oracle-related findings in the audited scope.
Sources #
- GitHubConcreteStandardVaultImpl.sol — oracle absence confirmed (F180 ★)src/implementation/ConcreteStandardVaultImpl.sol — no oracle import, no oracle address, no Chainlink/Pyth/Redstone interfaceretrieved 2026-05-17
- AllocateModule.sol + BaseStrategy.sol — no oracle addresssrc/module/AllocateModule.sol — no oracle address; src/periphery/strategies/BaseStrategy.sol — no oracle import confirmedretrieved 2026-05-17
- Halborn Blueprint Finance Earn V2 Core Audit (Sep 2025)Halborn Earn V2 Core (Sep 2025) — zero oracle-related findings in scope (ConcreteStandardVaultImpl, ConcreteFactory, VaultProxy, AllocateModule)retrieved 2026-05-17
Methodology #
Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.
See the full factor methodology and distribution across all protocols →