D1
Access Control
Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.
Weight 18%70% confidence
55
Moderate
info
How This Score Is Built
Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.
+23Strong positive
+12Positive
+5Slight positive
−15Strong negative
−8Negative
−3Slight negative
Scoring Tree
BRI Formula
300 + 700 × ∏(Dᵢ/100)^wᵢ
721
Current BRI
D1Access Control
Weight 18%
55
(55/100)^0.18 = 0.8980
Contributing Factors
+14Owner-based ACL (no role separation: owner controls strategy migration, token rescue, fee config)
+14Strategy has separate keeper/strategist/manager roles but all controlled by same Beefy team
+14Vault owner can call inCaseTokensGetStuck (rescue) but cannot touch want token
+14earn() is fully permissionless with no rate limiting
-45No on-chain timelock for most admin functions (only strategy migration has approvalDelay)
Score Composition
-45
No on-chain timelock for most admin functions (only strategy migration has approvalDelay)
+14
Owner-based ACL (no role separation: owner controls strategy migration, token rescue, fee config)
+14
Strategy has separate keeper/strategist/manager roles but all controlled by same Beefy team
+14
Vault owner can call inCaseTokensGetStuck (rescue) but cannot touch want token
+14
earn() is fully permissionless with no rate limiting
Evidence Chain (2 files)
GitHub APIMay 17, 2026, 06:58 PM
open_in_newGitHub (/)sha256:516b7d4fceaf...
BlackHart AnalysisMay 4, 2026, 11:30 PM
open_in_newAccess Control — Source Codesha256:542f640ec0ed...
Score History
No dimension-level score changes recorded yet.
Methodology: 2.1Formula: 1.1Weights: 1.1