★ Immutable oracle address
Midas's assessment for RD-F-180 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL-CANDIDATE per T-12 PD-017 — FLAG for orchestrator] Oracle addresses are NOT immutable — F180 does not fire red. (1) MTBillCustomAggregatorFeed is a TransparentUpgradeableProxy — proxy admin can upgrade implementation, changing oracle logic. (2) DataFeed.sol exposes changeAggregator() callable by DEFAULT_ADMIN_ROLE, allowing the underlying Chainlink feed address to be replaced. (3) ManageableVault.sol sets mTokenDataFeed at initialization with no explicit setter, but the vault is also an upgradeable proxy — the mTokenDataFeed address can change via proxy upgrade. No timelock on oracle changes. Oracle swappability prevents the immutability lock-in scenario (USR/USDX/xUSD pattern) but creates admin-key-as-oracle-control risk. Score yellow: admin-swappable without timelock.
Sources #
- GitHubSherlock 2024-08 ManageableVault.sol — mTokenDataFeed initsherlock-audit/2024-08-midas-minter-redeemer ManageableVault.sol: mTokenDataFeed set at init, no setter, but vault is upgradeable proxy — oracle address changeable via upgraderetrieved 2026-05-16
- Sherlock 2024-05 DataFeed.sol — changeAggregator functionsherlock-audit/2024-05-midas DataFeed.sol: changeAggregator() guarded by DEFAULT_ADMIN_ROLE allows oracle address replacementretrieved 2026-05-16
- MTBillCustomAggregatorFeed Proxy — Etherscan0x056339C044055819E8Db84E71f5f2E1F536b2E5b confirmed TransparentUpgradeableProxy (EIP-1967); impl 0x0d84eC93e9a734184c7f59f61342f432444efc1bretrieved 2026-05-16
Methodology #
Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.
See the full factor methodology and distribution across all protocols →