Role separation: upgrade ≠ fee ≠ oracle

Polymarket's assessment for RD-F-035 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No role separation. CTFExchange admin controls upgrade (addAdmin), fee (setFeeReceiver), and oracle-config (operator grants, which execute market resolution). pUSD owner controls upgrade (UUPS) and fee/inflation (MINTER_ROLE). Single admin controller for all three role types.

Sources #

GitHub
CollateralToken.sol — _authorizeUpgrade onlyOwner (no timelock); addMinter onlyOwnerPolymarket/ctf-exchange-v2/src/collateral/CollateralToken.solretrieved 2026-04-29
GitHub
Auth.sol — no timelock mechanism; addAdmin/addOperator execute immediatelyPolymarket/ctf-exchange-v2/src/exchange/mixins/Auth.solretrieved 2026-04-29

Methodology #

Determine whether the upgrade role, fee-collection role, and oracle-config role are assigned to distinct addresses.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol polymarket factor RD-F-035 score red collected_at 2026-04-29 16:25:39