Timelock on sensitive actions

Fluid's assessment for RD-F-033 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Key sensitive actions without timelock: addImplementation/removeImplementation/setAdmin (Infinite Proxy), updateAuths/updateGuardians (AdminModule), collectRevenue (AdminModule), changeStatus, pauseUser. withdrawFunds on ReserveContract is restricted to pre-approved recipients only. No timelock wrappers on any of these.

Sources #

GitHub
AdminModule: onlyGovernance, onlyAuths, onlyGuardians — no timelock wrapper on any functionfluid-contracts-public/contracts/liquidity/adminModule/main.solretrieved 2026-04-29
Etherscan
ReserveContract impl: withdrawFunds() restricted to TREASURY_ADDRESS or BUYBACK_CONTRACT_ADDRESS0xFb3102759F2d57F547b9C519db49Ce1fFDE15dB2retrieved 2026-04-29

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol fluid factor RD-F-033 score red collected_at 2026-04-29 10:35:01