★ delegatecall/call in proposal execution without allowlist

Aave v3's assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Aave Executors use delegatecall to proposal-supplied payload contract. No on-chain target allowlist at Executor level. Mitigated by: (a) 1-day/7-day timelock delays, (b) Governance Guardian 5-of-9 can cancel malicious proposals, (c) Certora reviews 470+ proposals in public proposals-reports repo. Structural exposure (no allowlist) exists but is operationally mitigated.

Sources #

GitHub
Aave DAO Proposals Security Reviewsaave-proposals-reports (470+ reviews)retrieved 2026-04-27
URL
Etherscan - Aave Executor Lvl1 sourceExecutor Lvl1 source 0x5300A1a15135EA4dc7aD5a167152C01EFc9b192Aretrieved 2026-04-27

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aave-v3 factor RD-F-039 score yellow collected_at 2026-04-27 23:28:46