★ Single admin EOA

crvUSD (Curve Stablecoin)'s assessment for RD-F-027 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[CRITICAL] ControllerFactory 0xC9332fdCB1C491Dcc683bAe86Fe3cb70360738BC admin() = 0xbabe61887f1de2713c6f97e567623453d3c79f67 (Curve Deployer 2 EOA). This EOA can call set_debt_ceiling(), add_market(), set_admin() with zero timelock. Contract deployed May 2023; admin unchanged as of May 2026 (3+ years). MixBytes audit explicitly flagged that DAO must own the factory, not an EOA.

Sources #

Etherscan
ControllerFactory readContract admin()admin() on ControllerFactory 0xC9332fdCB1C491Dcc683bAe86Fe3cb70360738BC returns 0xbabe61887f1de2713c6f97e567623453d3c79f67 (Curve: Deployer 2)retrieved 2026-05-16
Audit
MixBytes crvUSD Security Audit Report (June 2023)MixBytes audit: 'it is imperative that only DAO owns the factory, not an EOA' (recommendation)retrieved 2026-05-16
Etherscan
Curve Deployer 2 EtherscanCurve Deployer 2 address 0xbabe61887f1de2713c6f97e567623453d3c79f67 labeled as EOA contract deployer on Etherscanretrieved 2026-05-16

Methodology #

Determine whether the effective upgrade/owner/rescue role is held by a single EOA (not a multisig) with no timelock on sensitive operations.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-027 score red collected_at 2026-05-16 19:09:40