★ Sudden admin-rescue/ACL change without discussion
Frax Finance's assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
STAR CRITICAL. Dec 2025 stealth-patch event on FraxEtherRedemptionQueueV2 (0xfDC69e6BE352BD5644C438302DE4E311AAD5565b): (1) External researcher reported DoS vulnerability Dec 5 2025; (2) Frax security team denied the bug same day; (3) Contract was patched with CannotRedeemZero() revert between Dec 5-16 with no GitHub issue, PR, governance post, or public discussion; (4) Frax team denied making changes even after fix was live; (5) Reporter opened governance forum thread #3818 on Dec 17 - team-initiated discussion absent. This is a substantiated case of a deployed code change without any preceding public discussion, matching the F123 literal definition. Yellow rather than red because: the change was a security patch not an ACL/admin-role change, no funds were drained, and the insider-implant threat model (the red-signal archetype) is absent - this is a transparency failure, not a compromised-insider ACL insertion.
Sources #
- GovernanceAttribution Dispute - RedemptionQueueV2 DoS Vulnerability - Frax Finance Governancegov.frax.finance Attribution Dispute thread #3818 - external reporter documents timeline of denial followed by silent fixretrieved 2026-05-17
- FraxEtherRedemptionQueueV2 - EtherscanFraxEtherRedemptionQueueV2 contract - deployed ~Oct 2023, source verified exact match per Etherscanretrieved 2026-05-17
- FRAX FINANCE: The Stealth Patch and The Stolen Bounty - MediumMedium post by Donnyoregon detailing stealth patch timeline and CannotRedeemZero evidenceretrieved 2026-05-17
Methodology #
Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.
See the full factor methodology and distribution across all protocols →