Arbitrary call with user-controlled target

Chainlink CCIP's assessment for RD-F-013 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

RBACTimelock executeBatch() uses call.target.call{value}(call.data) — arbitrary target and calldata with no contract-level allowlist. Access is gated to EXECUTOR_ROLE. ManyChainMultiSig execute() similarly allows arbitrary calls gated behind Merkle root signatures from authorized operators. Role gating prevents anonymous exploitation but no contract-level target allowlist exists.

Sources #

GitHub
RBACTimelock.sol — executeBatch uses arbitrary .call() to targetRBACTimelock.sol executeBatch — call.target.call{value}(call.data) with no target allowlistretrieved 2026-05-16

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-013 score yellow collected_at 2026-05-16 01:55:09