Timelock on sensitive actions

Multipli's assessment for RD-F-033 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No timelock on any of the five action categories. Mint: gated by requiresAuth only (no timelock). Pause: requiresAuth only. Rescue/removeFunds: owner-direct on MultipliBridger; requiresAuth on vault (no timelock). setOracle/FUND_MANAGER_ROLE: set by owner via RolesAuthority with no delay. Upgrade (_authorizeUpgrade): requiresAuth only.

Sources #

GitHub
MultipliVault.sol source — all sensitive functions gated by requiresAuth, no timelockMultipliVault.sol v2: pause() uses requiresAuth; _authorizeUpgrade uses requiresAuth; no TimelockControllerretrieved 2026-05-17
Etherscan
MultipliBridger — removeFunds onlyOwner no timelockMultipliBridger verified source: removeFunds() has onlyOwner, no timelockretrieved 2026-05-17

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol multipli factor RD-F-033 score red collected_at 2026-05-17 11:48:35