defirisk.co
rubric v1.7.0

Timelock on sensitive actions

Midas's assessment for RD-F-033 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Mapping of sensitive actions to timelock status: (1) Upgrade: only Dec-2025 used timelock; Sep-2024 and Apr-2025 bypassed. (2) Mint (M_TBILL_MINT_OPERATOR_ROLE): no timelock. (3) Rescue/withdrawToken (onlyVaultAdmin): no timelock. (4) Pause (M_TBILL_PAUSE_OPERATOR_ROLE): no timelock. (5) Oracle/DataFeed swap: no timelock confirmed. At most 1 of 5 sensitive action types has been timelocked (and inconsistently at that). Red: ≤2 timelocked.

Sources #

  • GitHub
    mTBILL.sol — Sherlock 2024-05mTBILL.sol: mint() and pause() role gates, no timelockretrieved 2026-05-16
  • GitHub
    ManageableVault.sol — Sherlock 2024-08ManageableVault.sol: withdrawToken onlyVaultAdmin, no timelock; mTBILL.sol: mint onlyRole(M_TBILL_MINT_OPERATOR_ROLE), no timelock; pause/unpause onlyRole(M_TBILL_PAUSE_OPERATOR_ROLE)retrieved 2026-05-16

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol midas factor RD-F-033 score red collected_at 2026-05-16 09:34:55