delegatecall with user-controlled target

Chainlink CCIP's assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No user-controlled delegatecall found. OffRamp.sol and OnRamp.sol contain no delegatecall. ManyChainMultiSig uses standard .call() for execution. RBACTimelock uses .call() not delegatecall. ARMProxy uses fallback delegatecall to its implementation but the implementation address is set by the owner (not user-supplied). No open delegatecall-to-user-target pattern identified.

Sources #

GitHub
ManyChainMultiSig.sol — execution uses .call()ManyChainMultiSig.sol — .call() not delegatecallretrieved 2026-05-16
GitHub
RBACTimelock.sol — execution uses .call(), no delegatecallRBACTimelock.sol — .call() not delegatecall in executeBatchretrieved 2026-05-16

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-012 score green collected_at 2026-05-16 01:55:09