★ Sudden admin-rescue/ACL change without discussion

Curve Finance's assessment for RD-F-123 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[CRITICAL ★] Emergency DAO's authority is narrowly scoped to gauge kills and pool kills — it cannot change admin keys, transfer ownership, or modify ACL. All Ownership-track changes require 7-day Aragon DAO vote. August 2023 eDAO gauge-kill post-exploit was within documented scope. No evidence of non-routine admin rescue or ACL change without preceding public discussion in the last 180 days or in the full incident history reviewed. Egorov's 2023 personal loan crisis required zero protocol admin action.

Sources #

URL
Curve DAO: Protocol Ownership — Curve 1.0.0 docsCurve DAO ownership docsretrieved 2026-04-28
URL
Curve Finance Emergency DAO Ends Rewards for Exploited Pools | UnchainedeDAO gauge kill Aug 2023retrieved 2026-04-28
URL
Curve Pool Reentrancy Exploit Postmortem July 30th 2023 | LlamaRiskJuly 2023 exploit postmortemretrieved 2026-04-28

Methodology #

Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-123 score green collected_at 2026-04-28 19:48:40