defirisk.co
rubric v1.7.0

Immutable oracle address

Spiko's assessment for RD-F-180 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[STAR CRITICAL-CANDIDATE — FLAG FOR T-14] ATM3.sol declares 'Oracle immutable public oracle;' — oracle address set at construction, cannot be replaced by any admin action. No setOracle function. No admin-replaceable wrapper exists in ATM3. This is a confirmed EVM immutable keyword usage per the F180 definition (PD-023). Partial mitigation: MultiATMLinear.sol (newer) stores oracle in mutable _pairs mapping with setPair() allowing replacement. Risk depends on which contract variant handles live subscriptions/redemptions. Trail of Bits Oct 2023 audit covered ATM3 but immutability was not flagged as a remediation item.

Sources #

  • Audit
    Trail of Bits Spiko Security Review Oct 2023Trail of Bits Oct 2023 security review of Spiko EVM contracts including Oracle and ATM3 — immutability not flagged as remediation itemretrieved 2026-05-16
  • GitHub
    MultiATMLinear.sol — spiko-tech/contracts GitHubMultiATMLinear.sol setPair(IERC20Metadata token1, IERC20Metadata token2, Oracle oracle, uint256 oracleTTL, bool linearYield) — mutable oracle in newer contract variant, providing partial mitigationretrieved 2026-05-16
  • GitHub
    ATM3.sol — spiko-tech/contracts GitHubATM3.sol line: 'Oracle immutable public oracle;' — immutable declaration, set in constructor only, no setOracle function anywhere in the fileretrieved 2026-05-16

Methodology #

Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol spiko factor RD-F-180 score red collected_at 2026-05-15 22:52:13