UUPS _authorizeUpgrade correctly permissioned

Lido's assessment for RD-F-021 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Lido uses OssifiableProxy (not UUPS) for V2/V3 contracts. UUPSUpgradeable vulnerability (GHSA-5vp3-v4hc-gx76) only affects OZ 4.1.0-4.3.2; Lido V3 uses OZ 5.2.0 (unaffected), legacy uses Aragon proxy (unaffected). OssifiableProxy has proxy__upgradeTo() controlled by admin-only.

Sources #

URL
GHSA-5vp3-v4hc-gx76https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76retrieved 2026-04-28
URL
0xFdDf38947aFB03C621C71b06C9C70bce73f12999#codehttps://etherscan.io/address/0xFdDf38947aFB03C621C71b06C9C70bce73f12999#coderetrieved 2026-04-28

Methodology #

Determine whether the UUPS implementation defines `_authorizeUpgrade(address)` restricted to owner/admin/timelock (not open to arbitrary callers).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lido factor RD-F-021 score green collected_at 2026-04-28 13:58:42