★ Rescue/emergencyWithdraw without timelock

QuickSwap's assessment for RD-F-041 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No timelock exists anywhere. Treasury multisig (2-of-4, no delay) can execute arbitrary token transfers including draining the 100M QUICK ($976K) and $6,845 USDC held in the multisig itself. V3 Factory owner can redirect vault/farming addresses (fee flows) with zero delay. V2 Factory feeToSetter (deployer EOA) can redirect protocol fees with zero delay. Full drain achievable in one transaction by 2 colluding signers.

Sources #

GitHub
AlgebraFactory setVaultAddress — no timelockAlgebraFactory setVaultAddress() is onlyOwner with no timelock — can redirect fee flows immediatelyretrieved 2026-05-16
Etherscan
QuickSwap Admin Multisig — holdings and zero delayPolygonscan multisig contract: required=2, no timelock, holdls 100M QUICK + 6845 USDCretrieved 2026-05-16

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol quickswap factor RD-F-041 score red collected_at 2026-05-16 08:48:31