★ Low-threshold multisig vs TVL

Pendle Finance's assessment for RD-F-028 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Low-quorum multisig admin custody. Dev Multisig (0xE6F0489ED91dc27f40f9dbe8f81fccbFC16b9cb1) requires 2-of-5 signatures; Treasury Multisig (0x8270400d528c34e1596EF367eeDEc99080A1b592) requires 2-of-6 signatures - both verified live via Safe Transaction Service API on 2026-05-07. Two compromised signers can move funds or execute governable-module changes on either Safe; both thresholds sit far below peer norm of 4/7 or 5/8 for a $1.44B TVL protocol. (OAK Research's published 2/4 figure for the dev multisig is stale - the on-chain Safe currently has 5 owners; threshold remains 2.) One signer (0x231FC5b039d66BA234CB90357082Bf16Be79B17c) is shared across both Safes, further concentrating control.

Sources #

URL
Safe API Treasury — threshold 2-of-6Treasury threshold=2, owners=6 confirmed via Safe Transaction Service APIretrieved 2026-04-29
URL
Safe API Dev Multisig — threshold 2-of-5Dev Multisig threshold=2, owners=5 confirmed via Safe Transaction Service APIretrieved 2026-04-29
URL
https://docs.pendle.finance/pendle-v2/Securityretrieved 2026-05-06
URL
https://api.safe.global/tx-service/eth/api/v1/safes/0x8270400d528c34e1596EF367eeDEc99080A1b592/retrieved 2026-05-06
URL
https://oakresearch.io/en/reports/protocols/pendle-pendle-comprehensive-overview-leading-platform-on-chain-yieldretrieved 2026-05-06
URL
https://api.safe.global/tx-service/eth/api/v1/safes/0xE6F0489ED91dc27f40f9dbe8f81fccbFC16b9cb1/retrieved 2026-05-06

Methodology #

Determine whether the multisig threshold is abnormally low relative to TVL peer cohort (e.g., 2-of-3 for a protocol with >$100M TVL where peer norm is 5-of-8).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pendle factor RD-F-028 score red collected_at 2026-04-28 21:09:40