← All Reports

Yearn — yvWBTC-1

1.2
yvWBTC-1 (WBTC-1 yVault) / Ethereum / May 11, 2026
View full report on GitHub →

Score Breakdown

CategoryWeightScore
Audits & Historical20%1.50
Centralization & Control30%1.00
Funds Management30%1.25
Liquidity Risk15%1.00
Operational Risk5%1.50
Final Score1.2 / 5.0
20%30%30%15%
Minimal Risk

Overview

yvWBTC-1 is a WBTC-denominated Yearn V3 vault (ERC-4626) on Ethereum mainnet. The vault holds 47.5051 WBTC (≈ $3.87M at the snapshot) and currently deploys 0% of ittotalDebt = 0, totalIdle = totalAssets. The vault's default queue is empty (get_default_queue() == []): the previously-attached Aave V3 WBTC Lender strategy was revoked from the vault (activation = 0 on-chain) between the April 27 and May 5 snapshots and remains revoked at this snapshot.

Per the Yearn team, the broader risk-1 vault posture during late April was a precautionary deallocation following the April 18, 2026 rsETH (KelpDAO) bridge exploit on the LayerZero OFT bridge layer (the rsETH event itself is documented in the hgETH reassessment report). For yvWBTC-1 specifically, the strategy revocation goes further than a temporary pull — there is now no strategy on the vault at all. Whether this is a permanent deprecation or a precursor to re-onboarding a different strategy under the 7-day timelock is not on-chain verifiable; the team's specific intent has not been independently verified.

yvWBTC-1 is also the newest and least mature vault in the mainnet risk-1 set — deployed May 13, 2025, ~11.9 months at the snapshot. PPS has barely moved (1.000037), reflecting that the vault has spent essentially all of its life undeployed.

Key architecture:

  • Vault: Standard Yearn V3 vault (v3.0.4) accepting WBTC deposits, issuing yvWBTC-1 shares. Deployed as an immutable Vyper minimal proxy (EIP-1167) via the v3.0.4 Yearn V3 Vault Factory (0x770D0d1Fb036483Ed4AbB6d53c1C88fb277D812F)
  • Strategy queue: empty (get_default_queue() == []). No strategy currently attached to the vault. Adding any new strategy requires a 7-day timelock proposal
  • Governance: Standard Yearn V3 Role Manager (0xb3bd6B2E61753C311EFbCF0111f75D29706D9a41) governed by the Yearn 6-of-9 ySafe with 7-day TimelockController for strategy additions

Key metrics (May 11, 2026, snapshot at block 25073237, timestamp 1778519075 = 17:04:35 UTC):

  • TVL: 47.50511676 WBTC (~$3.87M, Chainlink BTC/USD = $81,614.41, WBTC/BTC = 0.9972)
  • Total Supply: 47.50336273 yvWBTC-1
  • Price Per Share: 1.000037 WBTC/yvWBTC-1 (essentially unchanged over ~11.9 months — the vault has been mostly undeployed)
  • Total Debt: 0 (on-chain)
  • Total Idle: 47.50511676 WBTC (100% of TVL)
  • Deposit Limit: 100,000 WBTC (≈ $8.1B at snapshot — materially oversized, see Reassessment Triggers)
  • Profit Max Unlock Time: 5 days
  • Fees: 0% management fee, 10% performance fee

Important note: because the vault is 100% idle and has no strategy attached at all, depositors today earn 0% APR and there is no protocol-dependency surface beyond WBTC itself. The dependency, liquidity, and complexity assessments below reflect this state. If Yearn proposes a new strategy under the 7-day timelock, the dependency assessment should be re-run against the actual chosen strategy. Captured under Reassessment Triggers.

Links:

Risk Summary

Key Strengths

  • Battle-tested Yearn V3 infrastructure: 3 audits by top firms, ~24 months of clean V3 production. Immutable vault contract eliminates proxy upgrade risk
  • Standard Yearn governance: Yearn V3 Role Manager + 6-of-9 ySafe (named DeFi signers) + 7-day self-governed timelock
  • No Sky / USDS exposure: yvWBTC-1 is WBTC-native with no strategy attached and never routed through the Sky / USDS stack — this vault is excluded from the Sky concentration risk affecting the other stable risk-1 vaults
  • Trivially liquid today — 100% idle, atomic redemption with no slippage
  • No leverage. No cross-chain. No conversion hops — the vault holds WBTC directly with no strategy attached
  • 7-day timelock guard on any future strategy: any new strategy attachment must clear the Strategy Manager TimelockController before it can take debt — preserving a reassessment window

Key Risks

  • Idle posture (100% un-deployed) and empty queue persisting to May 11: per the Yearn team the April deallocation was precautionary following the April 18, 2026 rsETH bridge exploit (see hgETH report for verified facts about the event). The team's specific causal attribution has not been independently verified. Between the April 27 and May 5 snapshots the only attached strategy (Aave V3 WBTC Lender) was revoked entirely — this is a step beyond a temporary pull, and the rationale has not been independently confirmed. As of the May 11 snapshot no replacement strategy has been queued; any future deployment will require a new 7-day timelock proposal
  • Newest and least mature vault of the six mainnet risk-1 vaults (~11.9 months only). PPS appreciation is essentially zero (1.000037) reflecting the mostly-undeployed history
  • No yield while idle — depositors today earn 0% APR on the idle balance (PPS is essentially flat)
  • No diversification cushion if a new single-venue strategy is later attached: WBTC market liquidity is historically narrower than USD-stablecoin markets, so a future single-strategy attachment would carry venue-concentration risk
  • Re-deployment risk: when any new strategy is later proposed and funded, dependency, liquidity, and complexity scores need to be re-evaluated against the actual chosen mix

Critical Risks

  • None identified. All gates pass. The current idle posture and oversized deposit cap are temporary / cosmetic concerns rather than fundamental risks to the vault.
Full Report

Contract Addresses

Core yvWBTC-1 Contracts

Contract Address Type
yvWBTC-1 Vault 0x751F0cC6115410A3eE9eC92d08f46Ff6Da98b708 Yearn V3 Vault (v3.0.4), Vyper minimal proxy
Underlying asset (WBTC) 0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599 Wrapped Bitcoin (BitGo)
Accountant 0x5A74Cb32D36f2f517DB6f7b0A0591e09b22cDE69 Shared Yearn Accountant (0% mgmt, 10% perf)
Fee Recipient (Dumper) 0x590Dd9399bB53f1085097399C3265C7137c1C4Cf Claims fees and routes to auctions/splitters

Governance Contracts (shared with all Yearn V3 risk-1 vaults)

Contract Address Configuration
Yearn V3 Role Manager 0xb3bd6B2E61753C311EFbCF0111f75D29706D9a41 Single instance for all category-1 vaults
Daddy / ySafe (Governance) 0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52 6-of-9 Gnosis Safe
Brain (Operations) 0x16388463d60FFE0661Cf7F1f31a7D658aC790ff7 3-of-8 Gnosis Safe
Security 0xe5e2Baf96198c56380dDD5E992D7d1ADa0e989c0 4-of-7 Gnosis Safe
Strategy Manager (Timelock) 0x88Ba032be87d5EF1fbE87336b7090767F367BF73 TimelockController — 7-day delay
Keeper 0x604e586F17cE106B64185A7a0d2c1Da5bAce711E yHaaSRelayer — REPORTING only
Debt Allocator 0x1e9eB053228B1156831759401dE0E115356b8671 Minimal proxy — REPORTING + DEBT_MANAGER

Yearn V3 Infrastructure

Contract Address
Vault Factory (v3.0.4) 0x770D0d1Fb036483Ed4AbB6d53c1C88fb277D812F
Vault Original (v3.0.4) 0xd8063123BBA3B480569244AE66BFE72B6c84b00d

Strategies (0 in default queue, 0 with debt)

get_default_queue() returns [] at block 25073237. The previously-attached Aave V3 WBTC Lender (0x0B9Ae07457BAED5536B1f3e78C9649E980fB4EDc) was revoked from the vault — vault.strategies(0x0B9A…) returns (activation=0, last_report=0, current_debt=0, max_debt=0), indicating the strategy is no longer attached.

Adding any new strategy now requires a fresh addNewStrategy() proposal through the Strategy Manager TimelockController (7-day delay). Until that happens, yvWBTC-1 has no protocol dependency surface beyond WBTC itself.

Important: with no strategy attached, yvWBTC-1 is unambiguously not part of the Sky concentration risk that affects yvUSDC-1 / yvUSDS-1 / yvDAI-1. If a new strategy is proposed with Sky/USDS routing or rsETH-collateral exposure, the dependency assessment should be re-run.

Strategy Protocol Dependencies

None active or queued at the snapshot. The vault holds WBTC directly and does not currently interact with any external protocol other than the WBTC token itself.

Audits and Due Diligence Disclosures

Yearn V3 Core Audits

Auditor Date Scope Report
Statemind May 2, 2024 V3 Vaults (v3.0.0) PDF
ChainSecurity May 4, 2024 V3 Vaults + Tokenized Strategy (v3.0.0) 2 PDFs
yAcademy Jun 2024 V3 Vaults (v3.0.1) PDF

The v3.0.4 patch release (used by yvWBTC-1) was reviewed internally by the Yearn team rather than re-engaging external auditors. The diff from v3.0.2 is a minor patch-level change; the external audits cover the core architecture. Source: yearn-vaults-v3 GitHub releases.

Underlying Protocol Audits

No active underlying protocol dependency at the May 11, 2026 snapshot — the only previously-attached strategy (Aave V3 WBTC Lender) was revoked between the April 27 and May 5 snapshots and there are no strategies currently in the queue. Underlying-protocol audits will become applicable when a new strategy is added; this section will be reassessed at that point. The historical Aave V3 attachment is documented in the Historical Track Record below.

Strategy Review Process

All strategies pass through Yearn's 12-metric risk-scoring framework (RISK_FRAMEWORK.md). yvWBTC-1 is registered as Category 1 in the Role Manager (getCategory(vault) == 1), the strictest tier.

Bug Bounty

  • Yearn (Immunefi): active, $200,000 max payout (Critical). https://immunefi.com/bounty/yearnfinance/
  • Yearn (Sherlock): also listed at https://audits.sherlock.xyz/bug-bounties/30
  • Underlying-protocol bug bounties: N/A at this snapshot — no underlying protocol is integrated. When a strategy is added, the underlying protocol's bounty coverage will be evaluated at that point
  • Safe Harbor (SEAL): Yearn is not listed on the SEAL Safe Harbor registry

On-Chain Complexity

Trivially low — the vault holds WBTC directly with no strategy attached. There are no conversion hops, no leverage, no looping, no cross-chain. Standard ERC-4626 throughout. The vault contract itself is immutable.

If a new strategy is later attached, complexity will depend on the chosen integration; the previously-queued Aave V3 WBTC Lender would have been a simple single-hop lend.

Historical Track Record

  • Vault deployed: May 13, 2025 (deployment tx) — ~11.9 months in production. Newest of the six mainnet risk-1 vaults.
  • TVL: 47.5051 WBTC (~$3.87M) — well within the 100,000 WBTC deposit limit (the cap itself is materially oversized — see Reassessment Triggers)
  • PPS trend: 1.000000 → 1.000037 (essentially flat, ~0% annualized — the vault has been mostly undeployed over its short life)
  • Security incidents: None known for this vault or for the Yearn V3 framework
  • Strategy changes: the Aave V3 WBTC Lender (only strategy ever attached) was added 2025-05-18 and revoked at some point between the April 27 and May 5 snapshots — at the May 11 snapshot the vault still has no attached strategy
  • Yearn V3 track record: V3 framework live since May 2024 (~24 months). No V3 vault exploits

Yearn protocol TVL: ~$197.5M total across all chains (DeFiLlama, April 2026).

Funds Management

yvWBTC-1 currently holds 100% WBTC idle. There are no attached strategies to characterize.

Current State (snapshot)

  • Total Assets: 47.50511676 WBTC
  • Total Debt: 0
  • Total Idle: 47.50511676 WBTC (100%)
  • Capital utilization: 0% deployed
  • Default queue length: 0

WBTC is held directly at the vault contract. ERC-4626 redemptions settle atomically against this idle balance with no slippage.

Strategies

None attached at the snapshot. The vault has no protocol-dependency surface beyond WBTC itself. Adding any new strategy requires a 7-day TimelockController proposal.

Accessibility

  • Deposits: Permissionless ERC-4626. Subject to 100,000 WBTC deposit limit (cap is oversized — see Reassessment Triggers)
  • Withdrawals: ERC-4626. Atomic against idle balance — no strategy unwind needed
  • No cooldown or lock period
  • Fees: 0% management, 10% performance
  • Profit unlock: 5 days

Collateralization

  • 100% on-chain WBTC backing — all of TVL is held directly at the vault contract
  • Collateral quality: WBTC is a wrapped representation of BTC, custodied offchain by BitGo. Quality is tied to BitGo's custody integrity and historical proof-of-reserves cadence
  • No leverage
  • Fully redeemable — atomic redemption from the idle balance

Provability

  • PPS: ERC-4626, fully algorithmic
  • Strategy totalAssets(): n/a — no strategy attached
  • Profit / loss reporting: n/a today (no strategy reports flow); when a strategy is later attached, profits would unlock over 5 days

Liquidity Risk

Trivially atomic. totalAssets() = totalIdle() = 47.5051 WBTC, so any user redemption settles against the vault's WBTC balance with no slippage, no strategy unwind, and no dependency on any underlying lending market's utilization.

  • Exit pipeline: ERC-4626 withdraw against the vault's idle WBTC balance — single transaction, no external protocol calls
  • Same-asset: WBTC-denominated share token — no price-divergence risk inside the vault (BTC custody risk is upstream of the vault)
  • No DEX liquidity needed
  • No withdrawal queue or cooldown
  • Deposit limit: 100,000 WBTC cap vs 47.5051 WBTC TVL — materially oversized; not a liquidity issue today, but should be tightened before any future strategy attachment

If a new strategy is attached later, the liquidity profile will become a function of that strategy's underlying market — captured under Reassessment Triggers.

Centralization & Control Risks

Governance

Position Address Threshold Roles on Vault
Daddy (ySafe) 0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52 6-of-9 12 of 14 vault roles
Brain 0x16388463d60FFE0661Cf7F1f31a7D658aC790ff7 3-of-8 QUEUE, REPORTING, DEBT, MAX_DEBT, DEPOSIT_LIMIT, WITHDRAW_LIMIT, PROFIT_UNLOCK, DEBT_PURCHASER, EMERGENCY
Security 0xe5e2Baf96198c56380dDD5E992D7d1ADa0e989c0 4-of-7 DEBT, MAX_DEBT, EMERGENCY
Strategy Manager (Timelock) 0x88Ba032be87d5EF1fbE87336b7090767F367BF73 7-day delay ADD_STRATEGY, REVOKE_STRATEGY, FORCE_REVOKE, ACCOUNTANT, MAX_DEBT
Keeper 0x604e586F17cE106B64185A7a0d2c1Da5bAce711E Bot REPORTING only
Debt Allocator 0x1e9eB053228B1156831759401dE0E115356b8671 Bot REPORTING + DEBT_MANAGER

ySafe 6-of-9 signers include publicly known DeFi contributors — see Yearn Multisig Info.

Properties:

  1. No EOA holds vault roles directly
  2. Strategy additions and accountant changes pass through 7-day timelock
  3. Self-governed timelock — TIMELOCK_ADMIN belongs to the timelock itself
  4. Vault contract is immutable — Vyper minimal proxy
  5. Same governance pattern across 37+ vaults

Programmability

  • PPS: ERC-4626, fully algorithmic
  • Vault operations: permissionless deposit / withdraw on-chain
  • Strategy reporting: automated via keeper (when strategy is funded)
  • Debt allocation: Debt Allocator (automated) + Brain (manual) — currently 0 deployed
  • Off-chain inputs: none

External Dependencies

Today: none directly funded. The only critical dependency is the underlying WBTC token itself (and its BitGo-custodied BTC backing).

If a new strategy is later attached: dependency profile becomes a function of the chosen strategy. The previously-attached Aave V3 WBTC Lender is the natural candidate; if re-attached, dependency would be:

Dependency Criticality Notes
WBTC (BitGo) Critical (underlying asset) Wrapped BTC; relies on BitGo's custody integrity and proof-of-reserves practice
Aave V3 High (if/when funded) Blue-chip, $30B+ TVL

Operational Risk

  • Team: Yearn Finance — established 2020, public contributors, named multisig signers
  • Vault management: Standard Yearn V3 Role Manager pattern shared across 37+ vaults
  • Documentation: Comprehensive Yearn V3 documentation. Strategy code verified on Etherscan
  • Legal: Yearn BORG via YIP-87
  • Incident response: 4 historical V1 events handled. V3 framework not yet stress-tested by an exploit
  • V3 immutability: vault cannot be upgraded
  • Operational anomalies:
    • Current 100%-idle posture and zero attached strategies is itself an operational signal — Brain / Daddy have actively pulled all debt and revoked the only attached strategy between the April 27 and May 5 snapshots, and the empty-queue state has persisted through the May 11 snapshot. The broader risk-1 vault deallocation in late April was attributed by the Yearn team to a precautionary response following the rsETH bridge exploit (unverified attribution); the strategy revocation here is more permanent than a deallocation and the rationale has not been independently verified
    • Oversized deposit cap (100,000 WBTC ≈ $8.1B) vs current 47.5 WBTC TVL — not a safety risk while the vault is undeployed, but should be tightened or its rationale documented before any future strategy attachment. Action item under Reassessment Triggers
    • Not yet in alert_large_flows.py monitoring list — likely an oversight given how recently the vault was deployed and that it currently holds no debt. Recommend Yearn adds it before any meaningful TVL

Monitoring

Existing Monitoring Infrastructure

Yearn maintains the monitoring repository with active alerting. Important: yvWBTC-1 is NOT yet in the alert_large_flows.py VAULTS dictionary (verified against the script). The other five mainnet risk-1 vaults (yvUSDC-1, yvUSDS-1, yvWETH-1, yvDAI-1, yvUSDT-1) are present. Recommend adding yvWBTC-1 before any meaningful TVL.

Other monitoring that does cover yvWBTC-1 implicitly via the broader Yearn V3 set:

  • Endorsed vault check (yearn/check_endorsed.py) — weekly
  • Timelock monitoring (timelock/timelock_alerts.py)

Key Contracts

Contract Address Monitor
yvWBTC-1 Vault 0x751F0cC6115410A3eE9eC92d08f46Ff6Da98b708 PPS (convertToAssets(1e8)), totalAssets(), totalDebt(), totalIdle(), Deposit / Withdraw events, StrategyChanged
Strategy Manager (Timelock) 0x88Ba032be87d5EF1fbE87336b7090767F367BF73 New addStrategy() proposals (7-day delay)
ySafe (Daddy) 0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52 Signer / threshold changes
Accountant 0x5A74Cb32D36f2f517DB6f7b0A0591e09b22cDE69 Fee changes

Critical Events to Monitor

  • New strategy attachmentStrategyChanged(strategy, ChangeType.ADDED) would indicate the timelock has executed an addNewStrategy() proposal; trigger reassessment to evaluate the new dependency
  • Idle ratio change — currently 100%; a drop after a strategy is attached indicates re-deployment
  • Strategy current_debt changesDebtUpdated events on the vault (n/a until a strategy is attached)
  • Emergency actions (Shutdown)
  • ySafe / Brain / Security signer or threshold changes
  • PPS decrease — should only increase outside of explicit loss events
  • Deposit-limit changes — particularly relevant given the current oversized cap
  • WBTC-specific: BitGo custody / proof-of-reserves issues, WBTC-BTC peg deviation, blacklisting events

Monitoring Functions

Function Contract Purpose Frequency
convertToAssets(1e8) Vault PPS tracking Every 6 hours
totalAssets() Vault Total TVL Daily
totalDebt() / totalIdle() Vault Capital deployment ratio — key early signal that a strategy has been attached and funded Daily
get_default_queue() Vault Queue composition — currently empty; non-empty indicates a new strategy attachment Daily
deposit_limit() Vault Cap monitoring (currently oversized) Daily
getThreshold() / getOwners() ySafe Governance integrity Weekly
getMinDelay() ySafe Delay change detection Weekly

Reassessment Triggers

  • Time-based: Reassess in 6 months (October 2026) or annually
  • TVL-based: Reassess if TVL exceeds 200 WBTC (~$15M) or changes by ±50%
  • rsETH-related deallocation and strategy revocation:
    • rerun this assessment once Yearn attaches and funds any new strategy on yvWBTC-1. The current 100%-idle / empty-queue posture has persisted from the May 5 to May 11 snapshots; the dependency profile and liquidity score all need re-evaluation against any future chosen strategy
    • if any new strategy is added that takes direct or indirect rsETH exposure, full re-review of the dependency subscore
  • Strategy posture:
    • any addStrategy() proposal at the Strategy Manager TimelockController (0x88Ba032be87d5EF1fbE87336b7090767F367BF73) targeting yvWBTC-1 — review during the 7-day delay window before the strategy can be funded
    • if a USDS-denominated or Sky-routed strategy is later attached to yvWBTC-1, the "no Sky concentration" exclusion no longer holds — re-evaluate dependency and concentration scores against the broader risk-1 stable stack
    • if more than one strategy is attached, re-evaluate the dependency subscore for diversification
  • Underlying-protocol incidents: any major incident affecting WBTC (or the protocol of any future attached strategy) — full re-review
  • Action items (operational hygiene):
    • Tighten the deposit cap — current deposit_limit = 100,000 WBTC (≈ $8.1B at snapshot) is materially above any plausible near-term TVL. Either tighten the cap (e.g. to a multiple of intended TVL) or document the rationale with the Yearn team and revisit this report before re-deployment
    • Add yvWBTC-1 to alert_large_flows.py monitored vault list before any meaningful TVL
  • WBTC-specific:
    • BitGo proof-of-reserves issues
    • sustained WBTC-BTC peg deviation
    • significant blacklisting / freezing events affecting WBTC
  • Governance-based: ySafe / Brain / Security signer or threshold changes; any change to the timelock delay (would itself require 7 days)

Appendix: Contract Architecture

┌─────────────────────────────────────────────────────────────────────┐
│                         VAULT LAYER                                  │
│                                                                      │
│  ┌───────────────────────┐                                          │
│  │  yvWBTC-1 (v3.0.4)   │                                          │
│  │  ERC-4626, immutable  │                                          │
│  │  0x751F…b708          │                                          │
│  │                       │                                          │
│  │  47.5 WBTC TVL        │                                          │
│  │  (~$3.87M)            │                                          │
│  │  100% idle            │  ← all WBTC held at vault contract       │
│  │  totalDebt = 0        │                                          │
│  │  default queue = []   │  ← no strategy attached                  │
│  │  deposit_limit=100k   │  ← oversized vs TVL                      │
│  └───────────────────────┘                                          │
│                                                                      │
│  Strategies in queue: NONE (`get_default_queue() == []`)            │
│   - Previously-attached Aave V3 WBTC Lender revoked between Apr 27  │
│     and May 5 snapshots (`activation = 0` at 0x0B9A…4EDc)           │
└──────────────────────────────────────────────────────────────────────┘

At the snapshot the vault holds WBTC directly with no strategy attached
and no protocol dependency surface beyond WBTC itself. Any new strategy
must clear a 7-day TimelockController proposal before it can hold debt.
Whether the empty-queue posture is permanent deprecation or a precursor
to re-onboarding under the timelock is not on-chain verifiable today.
The vault remains fully outside the Sky / USDS concentration that
affects yvUSDC-1 / yvUSDS-1 / yvDAI-1.

Appendix: TimelockController Role Structure

TimelockController 0x88Ba032be87d5EF1fbE87336b7090767F367BF73 — same timelock used by 37+ Yearn V3 vaults including all six mainnet risk-1 vaults. getMinDelay() = 604800 (7 days).

Role Holder Type Notes
DEFAULT_ADMIN No holder Never granted (admin = address(0))
TIMELOCK_ADMIN Timelock itself Contract Self-governed
PROPOSER Daddy/ySafe 6-of-9 Safe Sole proposer
EXECUTOR Daddy/ySafe 6-of-9 Safe Direct execution
EXECUTOR TimelockExecutor 0xf8f60bf9456a6e0141149db2dd6f02c60da5779b Contract Wrapper: Brain (3/8) + deployer EOA can call execute() through it
CANCELLER Daddy/ySafe 6-of-9 Safe Cancel pending proposals
CANCELLER Brain 3-of-8 Safe Cancel pending proposals

To shorten the delay, Daddy 6/9 must propose updateDelay(), wait 7 days during which Brain or Daddy can cancel, then execute. DEFAULT_ADMIN was never granted, so no party can self-grant PROPOSER or TIMELOCK_ADMIN to skip the flow.

Submit report inaccuracy