Access Control

MIN_VALID_ORACLES = 1 confirmed live (cast) — single-oracle aggregation, weak quorum

ON-CHAIN (cast, block ~36.45M, chain 999): DEFAULT_ADMIN_ROLE on StakingManager/ValidatorManager/StakingAccountant/OracleManager/kHYPE/PauserRegistry is held by EXACTLY ONE address = 0x18A82c968b992D28D4D812920eB7b4305306f8F1, which is a Gnosis Safe v1.3.0 with 8 owners and a 4-of-8 threshold (getThreshold()=4, nonce 60). This is a material POSITIVE vs the assumed single-key topology — a 4/8 multisig must collude to abuse admin power. Raised D1 from 45 to 55.

Framework is sound: OZ AccessControlEnumerableUpgradeable across all 6 core contracts, 10 role constants (MANAGER, OPERATOR, ORACLE_MANAGER, PAUSE_ALL, PAUSER, UNPAUSER, SENTINEL, TREASURY, MINTER, BURNER)

ON-CHAIN: ORACLE_MANAGER_ROLE on ValidatorManager is held only by the OracleManager CONTRACT (0x1928..049b), so reportRewardEvent/reportSlashingEvent (#2258) are NOT EOA-permissionless on the live deployment — bounds real exploitability of those criticals to oracle/operator compromise (centralization, standard bounty exclusion)

ON-CHAIN: OPERATOR_ROLE = single EOA 0x23A4604cDFe8e9e2e9Cf7C10D7492B0F3f4B4038 on both StakingManager and OracleManager — operational single point (drives generatePerformance / L1 ops). MANAGER_ROLE = the same 4/8 Safe.

GENUINELY PERMISSIONLESS code defect remains: ValidatorSanityChecker setter functions have ZERO access control (#36/#2551, passing PoC) — any EOA can widen tolerances. This is the real residual D1 risk and caps the score below 60.