delegatecall with user-controlled target

Balancer (v2 + v3)'s assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2 Vault: no delegatecall with user-controlled target. Pool factories create immutable pool contracts. v3: Vault delegates to VaultExtension/VaultAdmin at hardcoded constructor-set addresses — not user-controllable. AuthorizerAdaptor routes admin calls but scope is admin-restricted. No published high/critical audit finding of user-controlled delegatecall target in v2 or v3 core. Confidence [?] without tool run.

Sources #

GitHub
v3 VaultExtension: onlyVaultDelegateCall, hardcoded delegatecallhttps://github.com/balancer/balancer-v3-monorepo/blob/main/pkg/vault/contracts/VaultExtension.solretrieved 2026-05-05
GitHub
Balancer v2 audit reports directoryhttps://github.com/balancer/balancer-v2-monorepo/tree/master/auditsretrieved 2026-05-05

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-012 score green collected_at 2026-05-05 12:41:36