Arbitrary call with user-controlled target

Across Protocol's assessment for RD-F-013 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The SwapAndBridge/SwapProxy periphery uses low-level `.call` to exchange contracts where calldata is user-supplied. OZ audit identified this in context ("calldata parameters are arbitrarily given by the user; only restriction is selector ≠ ERC-20 transferFrom"). Periphery audits (May 2025) resolved medium "DoS Attack on Swapping via Permit2" by validating the exchange parameter. The `SwapProxy.performSwap` pattern uses user-supplied calldata to a designated exchange address — this is a user-c...

Sources #

URL
https://www.openzeppelin.com/news/periphery-changes-auditretrieved 2026-04-28

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol across-protocol factor RD-F-013 score yellow collected_at 2026-04-30 21:19:18