Role separation: upgrade ≠ fee ≠ oracle

Veda (BoringVault)'s assessment for RD-F-035 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

RolesAuthority assigns distinct roles: MINTER_ROLE (Teller), MANAGER_ROLE (strategist), MULTISIG_ROLE (pause). Separate Accountant for fee/rate management. However, the single 3-of-5 Safe/TimelockController (minDelay=0) that owns RolesAuthority controls all role assignments. Effective role separation is constrained by the single controlling Safe.

Sources #

GitHub
BoringVault.sol — role-based access control structureBoringVault.sol enter()/exit() require MINTER/BURNER roles; ManagerWithMerkleVerification requires MANAGER_ROLE; RolesAuthority manages all; 3-of-5 Safe is RolesAuthority ownerretrieved 2026-05-17

Methodology #

Determine whether the upgrade role, fee-collection role, and oracle-config role are assigned to distinct addresses.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol veda factor RD-F-035 score yellow collected_at 2026-05-17 12:41:22