UUPS _authorizeUpgrade correctly permissioned

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-021 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2-core, v3-core, and SushiXSwap v2 core contracts all use the constructor pattern, not UUPS upgradeable proxies. UniswapV2Factory (0.6.12) and UniswapV3Factory (0.7.6) are non-upgradeable immutable deployments. SushiXSwap v2 uses a constructor with no proxy pattern. No UUPS implementation detected in core components reviewed.

Sources #

Etherscan
SushiV3Factory Etherscan sourceUniswapV3Factory 0xbaceb8ec — constructor-based, no proxy patternretrieved 2026-05-17
Etherscan
SushiV2Factory Etherscan sourceUniswapV2Factory 0xc0aEe478 — constructor-based, no proxy patternretrieved 2026-05-17

Methodology #

Determine whether the UUPS implementation defines `_authorizeUpgrade(address)` restricted to owner/admin/timelock (not open to arbitrary callers).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-021 score not_applicable collected_at 2026-05-16 19:50:37