★ Sudden admin-rescue/ACL change without discussion
M^0's assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
YELLOW — split posture. Core TTG contracts (MToken, MinterGateway, Registrar, 3 governors) are immutable; all parameter changes require on-chain TTG proposal with 15-day epoch cycle, providing a strong public disclosure trail. Periphery gap: SwapFacility (0xB6807116b3B1B321a390594e31ECD6e0076f6278, TransparentUpgradeableProxy) has proxy admin = Deployer EOA (0xf2f1acbe0ba726fee8d75f3e32900526874740bb). Three upgrades executed: Aug 5 2025 (deploy), Aug 11 2025, Feb 24 2026 (block 24529552). No public governance forum post on research.m0.org or GitHub PR/issue corresponding to the Feb 2026 upgrade was found. The periphery upgrade path is deployer-EOA-unilateral, bypassing TTG epoch. Yellow (not red) because: (1) the core protocol surface is fully TTG-governed; (2) SwapFacility is a periphery extension, not core MToken/MinterGateway; (3) the audit trail for core changes is strong. Would escalate to red if a core admin ACL change were executed without discussion.
Sources #
- EtherscanSwapFacility TransparentUpgradeableProxy — EtherscanSwapFacility TransparentUpgradeableProxy — proxy admin = M0: Deployer EOA; 3 upgrade events including Feb 24 2026retrieved 2026-05-16
- M0 Research Forum — governance discussionsM0 Research governance forum — no SwapFacility upgrade discussion foundretrieved 2026-05-16
- M^0 Protocol Profile §3 and §600-profile.md §3 — SwapFacility proxy pattern and §6 — deployer EOA as proxy admin flagretrieved 2026-05-16
Methodology #
Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.
See the full factor methodology and distribution across all protocols →