defirisk.co
rubric v1.7.0

Timelock on sensitive actions

crvUSD (Curve Stablecoin)'s assessment for RD-F-033 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Sensitive actions accessible by the Deployer 2 EOA without timelock: set_debt_ceiling (mint-equivalent), add_market (new collateral), set_monetary_policy on Controllers (oracle config). Emergency DAO (5-of-9) handles pause with no independent timelock. Only fee routing has role separation (fee_receiver distinct). No timelocked execution path exists for the EOA admin.

Sources #

  • Etherscan
    crvUSD Controller (wstETH) readContractController readContract shows set_monetary_policy, set_borrowing_discounts, set_amm_fee as admin functionsretrieved 2026-05-16
  • Etherscan
    ControllerFactory function listControllerFactory readContract shows set_debt_ceiling, fee_receiver, admin functions; admin is EOA with no timelock contractretrieved 2026-05-16

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-033 score red collected_at 2026-05-16 19:09:40