Role separation: upgrade ≠ fee ≠ oracle

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-035 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Limited role separation observed. The Ops Multisig appears to be the single operational control point. Treasury Multisig is separate for fund disbursement. No formal RBAC separating upgrade, fee config, and oracle into distinct roles. V2 factory feeToSetter may be distinct from Ops Multisig (unconfirmed). Core AMM has no oracle role. Partial separation (Ops vs Treasury) but insufficient for a green.

Sources #

Internal
00-profile.md §6Profile §6 — two multisig addresses with distinct scopes (Ops vs Treasury) but no further role separation confirmedretrieved 2026-05-17
Docs
Sushi Governance DocsSushi docs — operations multisig handles core protocol changes; treasury multisig handles devfundretrieved 2026-05-17

Methodology #

Determine whether the upgrade role, fee-collection role, and oracle-config role are assigned to distinct addresses.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-035 score yellow collected_at 2026-05-16 19:50:37