defirisk.co
rubric v1.7.0

Sudden admin-rescue/ACL change without discussion

Meteora's assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[STAR CRITICAL] The Hurlock v. Kelsier amended complaint (SDNY 1:25-cv-03891, filed 2025-04-19, amended 2025-07-29) alleges defendants 'retained hidden upgrade authority over Meteora smart contracts through a multisig wallet under their exclusive control, allowing them to manipulate pools and freeze trading while portraying the system as decentralized.' [?] This is the insider-admin-use-without-disclosure pattern F123 captures. Facts confirmed: (1) DLMM upgrade authority is Squads v3 PDA (JADaUV8k...) with no on-chain timelock; (2) Ben Chow's resignation was announced unilaterally by co-founder Meow via X on 2025-02-18, not via a governance proposal on proposals.meteora.ag; (3) no corresponding governance forum discussion at proposals.meteora.ag was identified for the alleged M3M3 pool-freeze events. Underlying admin-use-acts are alleged [?] in the complaint and not confirmed by independent on-chain analysis in this assessment pass. Graded yellow: litigation allegation is documented an

Sources #

Methodology #

Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol meteora factor RD-F-123 score yellow collected_at 2026-05-16 10:03:05