Hot-patch deploys without timelock (last 30 days)

StakeWise v3's assessment for RD-F-138 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

All upgrades executed without timelock. The protocol has no TimelockController (timelock_address null). Every upgrade executed by the DAO Safe is structurally a hot-patch from a timelock perspective. The November 2025 emergency osETH controller action is the clearest example: controller authority granted and exercised without any delay. Count of hot-patch deploys in last 30 days: at minimum the v5.0.0 deployment (2026-04-29, 17 days before assessment).

Sources #

Internal
StakeWise data cache — no timelock00-data-cache.json: timelock_address null, timelock_delay_seconds nullretrieved 2026-05-16
URL
Balancer hacker loses $20M — DL NewsDL News: emergency controller action executed without timelock or governance voteretrieved 2026-05-16

Methodology #

Count upgrades executed in the last 30 days without going through the declared timelock path.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stakewise factor RD-F-138 score red collected_at 2026-05-16 01:03:28