Role separation: upgrade ≠ fee ≠ oracle
Ethena's assessment for RD-F-035 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No upgrade function exists (non-upgradeable contracts). Roles are separated at contract level: MINTER_ROLE, REDEEMER_ROLE, GATEKEEPER_ROLE distinct from DEFAULT_ADMIN_ROLE. However, Dev Multisig holds owner/admin over all contracts simultaneously — single Safe controls all levers including minter assignment, collateral config, role grants.
Sources #
- GitHubCode4rena 2023-10-ethena — roles: DEFAULT_ADMIN_ROLE, MINTER_ROLE, REDEEMER_ROLE, GATEKEEPER_ROLEhttps://github.com/code-423n4/2023-10-ethenaretrieved 2026-04-28
- Matrix of Multisig and Timelocks — Gatekeepers role: 'Disables mint/redeems...cannot re-enable'https://docs.ethena.fi/solution-design/key-trust-assumptions/matrix-of-multisig-and-timelocksretrieved 2026-04-28
Methodology #
Determine whether the upgrade role, fee-collection role, and oracle-config role are assigned to distinct addresses.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol ethena factor RD-F-035 score yellow collected_at 2026-04-28 13:58:51