★ Admin = deployer EOA after 7 days

Pendle Finance's assessment for RD-F-043 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] ProxyAdmin owner is Pendle Deployer 1 EOA (0x1FcCC097db89A86Bfc474A1028F93958295b1Fb7), approximately 29 months after V2 mainnet launch. Deployer EOA made a transaction to the Governance Safe 42 hours before assessment date (2026-04-27), confirming it is still active with admin power. No evidence of ProxyAdmin ownership transfer to a multisig.

Sources #

Etherscan
Pendle Deployer 1 — active 42h before assessmentDeployer 1 EOA 0x1FcCC097db89A86Bfc474A1028F93958295b1Fb7 — active tx to Safe 2026-04-27retrieved 2026-04-29
URL
https://oakresearch.io/en/reports/protocols/pendle-pendle-comprehensive-overview-leading-platform-on-chain-yieldretrieved 2026-05-06
Etherscan
Pendle ProxyAdmin — owner EOA confirmedProxyAdmin 0xA28c08f165116587D4F3E708743B4dEe155c5E64 — owner is Deployer 1 EOAretrieved 2026-04-29
URL
https://docs.pendle.finance/pendle-v2/Securityretrieved 2026-05-06

Methodology #

Determine whether, at t = deploy+7d, the admin address still equals the deployer EOA with no evidence of transfer to a multisig.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pendle factor RD-F-043 score red collected_at 2026-04-28 21:09:40