defirisk.co
rubric v1.7.0

delegatecall/call in proposal execution without allowlist

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Critical factor. A Red on this factor alone is sufficient to gate a protocol to grade D or F regardless of other category rollups.

Methodology how we score #

**What this measures** This factor identifies whether a protocol's governance executor contract uses delegatecall or call with an attacker-supplied target address — and does so without enforcing an allowlist of permitted targets. When an on-chain governance system delegates execution to an arbitrary address passed in the proposal payload, the proposal's bytecode effectively gains full execution context of the executor contract, including its storage, balances, and admin roles.

**Why it matters** Unrestricted delegatecall in proposal execution is a complete governance takeover primitive. OpenZeppelin's governance security guidance highlights that "a contract controlled by a single proposer has all the power over the timelock and can submit whichever transaction they like" — but the situation is worse when the executor itself will delegatecall any address the proposal specifies, because the attacker does not even need proposer privileges if they can pass a malicious payload through a legitimate-looking vote. The attack surface is particularly dangerous in protocols that adopted early OpenZeppelin Governor patterns without the later-added callRestricted executor, or that use custom execution registries with handler contracts.

**Green / Yellow / Red** Green is assigned when the governance executor enforces a strict allowlist of callable targets, or when proposal execution is limited to predefined function selectors and addresses with no external delegatecall path. Yellow covers protocols with a partial allowlist that does not cover all execution paths, or where the allowlist is itself admin-modifiable without governance. Red is assigned when governance proposal execution invokes delegatecall or call with a proposal-supplied target and no allowlist is enforced on-chain.

**Common gray cases** This factor is grayed when the protocol has no on-chain governance execution and all proposals are executed manually by a multisig, or when source code for the executor is unavailable for verification.

**Notable historical examples** - **Furucombo** ($14M, 2021): Handler registry accepted proxy contracts as targets; delegatecall from the outer proxy into a malicious inner handler enabled storage collision drain. - **Raft** ($3.3M, 2023): Delegatecall with an uninitialized storage slot caused attacker's profit to route to the burn address, but the pattern demonstrates how unguarded delegatecall creates unpredictable execution outcomes.

**★ Critical factor** This factor alone is sufficient to trigger a D or F grade under rubric v1.7.0 — a single red assessment here overrides all other category scores. An unrestricted delegatecall in governance execution converts any passed proposal into a full arbitrary-code-execution event against the executor's storage and funds.

Measurement what to look for #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

Data & output #

Data source
Slither `controlled-delegatecall` detector + source inspection of governor/timelock executor on Etherscan-verified source
Output format
Green / Yellow / Red · critical gate active
Evidence artifact
Slither output + executor source excerpt
Confidence signal
green = no proposal-target `delegatecall`/`call` or explicit allowlist enforced; red = unconstrained `delegatecall`/`call` in execution path; gray = source unverified

Scored protocols 80 carry this factor #

Protocol RD-F-039
Aave v3 ethereum yellow Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum gray Beefy Finance ethereum not_applicable BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum green Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum red Concrete ethereum not_applicable Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum not_assessed ether.fi ethereum green Euler V2 ethereum yellow Falcon Finance ethereum green Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum not_applicable Hyperliquid arbitrum not_applicable Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron yellow Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum yellow Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum red Marinade Finance solana green Meteora solana not_applicable mETH Protocol ethereum green Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum not_applicable Ondo Finance ethereum yellow OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc not_applicable Pendle Finance ethereum yellow Polymarket polygon not_applicable QuickSwap polygon green Raydium solana not_applicable Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum yellow Spiko stellar not_applicable Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron not_applicable Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum not_applicable Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum not_applicable Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum green
2 red · 17 yellow · 22 green

Linked hacks 2 historical incidents #

relatedRaft — Flash loan + collateral inflation via position liquidation → infinite R mint → stablecoin dump2023-11-10 · $3M · Flash loan + collateral inflation via position liquidation → infinite R mint → stablecoin dump · ★ delegatecall in proposal execution path [via cross-hack: Factor 22: Delegatecall-to-Proxy in Handler Registry]
relatedFurucombo — Evil Contract — Delegatecall Storage Collision2021-02-27 · $14M · Evil Contract — Delegatecall Storage Collision · ★ delegatecall in proposal execution path [via cross-hack: Factor 22: Delegatecall-to-Proxy in Handler Registry]
rubric_version v1.7.0 factor RD-F-039 category 2 carried 80 critical yes