defirisk.co
rubric v1.7.0

Immutable oracle address

Liquid Collective (LsETH)'s assessment for RD-F-180 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CANDIDATE per PD-017 — assess and report; compose.py is authoritative ★ counter] Oracle address in River stored in mutable unstructured-storage slot (bytes32(uint256(keccak256('river.state.oracleAddress')) - 1)) via OracleAddress.sol library with get()/set() functions. GitHub search for 'setOracle' in repository returns 0 results. River.1.sol exposes no admin-callable setOracle() post-initialization. Oracle address is set once in initRiverV1() via OracleManagerV1.initOracleManagerV1(_oracleAddress); no subsequent admin setter. However River is an upgradeable proxy (TUPProxy); Proxy Admin Safe (4-of-7, no timelock) can upgrade implementation and programmatically reach OracleAddress.set(). Oracle address IS replaceable via proxy upgrade — not EVM-immutable keyword pattern. Yellow not red: technical replaceability exists (proxy upgrade path); distinguishes from full-immutable class (USR/USDX/xUSD pattern). Risk: no direct admin setter means oracle replacement requires a full upgrade (h

Sources #

  • GitHub
    Liquid Collective River.1.sol sourcestate/river/OracleAddress.sol — mutable storage slot with get()/set(); River.1.sol — no setOracle admin functionretrieved 2026-05-17
  • GitHub
    GitHub search: setOracle in liquid-collective-protocolGitHub search for 'setOracle' returns 0 results — no admin oracle setter in repositoryretrieved 2026-05-17
  • Internal
    00-profile.md §7 and §11Profile §7 — F180 flag: 'oracle-dependency-analyst must check whether OracleOperators list is admin-updatable or hard-coded in River contract'retrieved 2026-05-17
  • Etherscan
    Etherscan — Liquid Collective Oracle contractOracle proxy 0x895a57eD71025D51fe4080530A3489D92E230683 — TUPProxy (upgradeable); implementation 0x51e09Ed43f5658a77428e6419aea83d769c9b2fd verifiedretrieved 2026-05-17

Methodology #

Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-180 score yellow collected_at 2026-05-16 19:46:23