★ Rescue/emergencyWithdraw without timelock

Save (formerly Solend)'s assessment for RD-F-041 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The lending market owner (5pHk2TmnqQzRF9L6egy5FfiyBgS7G9cMZ5RFaJAvghzw) can set reserve supply/borrow limits to zero (functional halt). Recovery Mode grants emergency parameter change powers with no on-chain timelock. The upgrade authority EOA can deploy arbitrary new bytecode including any rescue/drain function. November 2022 oracle attack response involved team 'temporarily disabling the liquidity pool' via admin action with no timelock. No emergency function or admin action is restricted to a timelocked path.

Sources #

URL
Gate.com — Solend history including Nov 2022 oracle attack responsegate.com/learn Solend article — November 2022 oracle attack: team temporarily disabled liquidity pool (no timelock required)retrieved 2026-05-17
URL
Save Access Controlsdocs.save.finance/architecture/access-controls — lending market owner can set limits to zero but 'cannot block withdrawals or move user funds' (note: program upgrade authority can override this)retrieved 2026-05-17

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol save factor RD-F-041 score red collected_at 2026-05-17 15:20:15