Skip to content

Governance And Key Risk

Key Compromise Impact

  • roleAdmin compromise can eventually reassign all power.
  • proposer/queuer/executor compromise can push unsafe code if monitoring fails.
  • registrar compromise can register incorrect targets or approvals.

Operational Controls

  • isolated multisigs per role class
  • signer hardware isolation
  • deterministic artifact attestations
  • mandatory queue-monitoring and cancellation drills

Timelock Benefit

The 7-day minimum delay is a detection-and-response window, not a guarantee. It helps only if monitoring and cancellation are active.

Source-Grounded Impact

The governor enforces roles correctly only if role holders are trustworthy. A compromised proposer can stage an operation, a compromised queuer can start the delay, a compromised executor can execute after readyAt, and a compromised registrar can alter the trusted target/implementation surface. A compromised roleAdmin can eventually reshape all of those powers.

Required Monitoring

Monitor role grants, role revokes, role-admin transfer, target registration, genesis approvals, upgrade proposals, queues, executions, cancellations, and final-freeze attempts. Every event must map to an approved governance ticket.