UUPS _authorizeUpgrade correctly permissioned

Orca's assessment for RD-F-021 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

UUPS (EIP-1822) is an EVM proxy upgrade pattern. Whirlpools uses BPFLoaderUpgradeable — Solana's native program upgrade mechanism where the upgrade authority is a separate account (Squads v4 vault, 3-of-10 multisig, 24h timelock). No _authorizeUpgrade() function exists in Anchor/Rust programs.

Sources #

GitHub
Whirlpool program lib.rs (Anchor/Rust — confirms non-EVM substrate)https://github.com/orca-so/whirlpools/blob/main/programs/whirlpool/src/lib.rsretrieved 2026-05-16

Methodology #

Determine whether the UUPS implementation defines `_authorizeUpgrade(address)` restricted to owner/admin/timelock (not open to arbitrary callers).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol orca factor RD-F-021 score not_applicable collected_at 2026-05-16 02:39:16