defirisk.co
rubric v1.7.0

delegatecall with user-controlled target

Aave v3's assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No user-controlled delegatecall found in Aave v3 core. Internal delegatecall to PoolLogic libraries uses fixed library addresses set at initialization — not user-controllable. Confirmed by multiple audit reviews.

Sources #

  • GitHub
    aave-v3-origin Pool.solaave-v3-origin Pool.sol architecture (library delegatecall pattern)retrieved 2026-04-27

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aave-v3 factor RD-F-012 score green collected_at 2026-04-27 23:28:46