Timelock on sensitive actions

Superstate's assessment for RD-F-033 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No timelock on any sensitive action. Functions mint(), adminBurn(), pause(), setOracle(), setRedemptionContract(), and upgrade() all execute immediately upon owner call. SuperstateToken.sol source confirms no TimelockController import or modifier. Docs state admin actions are gated only by the Superstate Admin Address with no stated delay. Every privileged operation is single-tx, zero-delay.

Sources #

Docs
Superstate Documentation - Admin FunctionsAdmin functions gated by Superstate Admin Address with no mention of timelock or delayretrieved 2026-05-16
GitHub
SuperstateToken.sol Source - No TimelockSuperstateToken.sol: all admin functions use _checkOwner(); no timelock modifier or TimelockController import found; mint(), adminBurn(), pause(), setOracle() all execute immediatelyretrieved 2026-05-16

Methodology #

For each sensitive action category (mint / pause / rescue / setOracle / upgrade), determine whether execution requires going through the declared timelock.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol superstate factor RD-F-033 score red collected_at 2026-05-16 00:06:37