★ Rescue/emergencyWithdraw without timelock

Liquid Collective (LsETH)'s assessment for RD-F-041 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CRITICAL: No dedicated emergencyWithdraw or rescue function in River.1.sol, Withdraw.1.sol, CoverageFund.1.sol, or RedeemManager.1.sol. However, the Proxy Admin Safe can upgrade any proxy implementation to arbitrary code with no timelock — 4-of-7 signatures sufficient to drain all $767M in one transaction. TUPProxy admin can also pause all protocol contracts immediately, blocking all withdrawals. The upgrade path (no timelock, no guardian veto) is the critical drain vector — it is structurally equivalent to an untimelocked rescue function at this scale.

Sources #

Etherscan
River proxy — upgradeTo() callable by Proxy Admin Safe without delay0x8c1BEd5b9a0928467c9B1341Da1D7BD5e10b6549 — upgradeTo() admin-callable, no delayretrieved 2026-05-17
Internal
Data cache — confirmed no timelock on upgrade path.research/protocols/liquid-collective/00-data-cache.json §sources.governance.timelock_address=nullretrieved 2026-05-16
GitHub
River.1.sol — no rescue/emergencyWithdraw functionliquid-collective/liquid-collective-protocol/blob/main/contracts/src/River.1.sol — no emergencyWithdraw function foundretrieved 2026-05-17

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-041 score red collected_at 2026-05-16 19:46:23