defirisk.co
rubric v1.7.0

Immutable oracle address

Multipli's assessment for RD-F-180 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] rwaUSD SignedFeedVerifier signer set composition is undisclosed. Docs state 'N-of-M quorum rules per profile' but do not confirm N, M, key management type, or whether signing keys are held by a multisig or single EOA. The governance docs state Oracle Admin manages signer sets 'via timelock ideally' — the qualifier 'ideally' indicates timelock is aspirational, not enforced. For xToken vaults: ORACLE role address is changeable by the Admin role holder (setAuthority in AuthUpgradeable.sol) but replacement path has no confirmed timelock; the actual ORACLE role holder identity is not disclosed. Single signer compromise for SignedFeedVerifier would affect 100+ RWA collateral profiles. Red because: (1) signer custody undisclosed; (2) timelock on oracle changes is 'ideal' not enforced; (3) single-signer scenario cannot be ruled out from public evidence.

Sources #

Methodology #

Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol multipli factor RD-F-180 score red collected_at 2026-05-17 11:48:35