★ delegatecall/call in proposal execution without allowlist

Compound V3 (Comet)'s assessment for RD-F-039 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GovernorBravoDelegate.execute() calls timelock.executeTransaction(targets[i], values[i], signatures[i], calldatas[i], eta). Timelock.executeTransaction() performs target.call{value}(callData) with NO enforced allowlist on target or calldata. Any address can be targeted. Comet exposes approveThis(asset, manager, amount) and withdrawReserves(address to, uint amount) callable by governor/Timelock — full drain vectors. Demonstrated by Proposal 289 (July 2024): 682,191 vs 633,636 votes, $24M COMP nearly transferred; cancelled only by social negotiation with attackers.

Sources #

GitHub
https://github.com/compound-finance/comet/blob/main/contracts/CometMainInterface.solretrieved 2026-04-28
URL
https://unchainedcrypto.com/compound-governance-attackers-agree-to-cancel-proposal-in-exchange-for-staking-product/retrieved 2026-04-28
GitHub
https://github.com/compound-finance/compound-protocol/blob/master/contracts/Governance/GovernorBravoDelegate.solretrieved 2026-04-28
URL
https://www.web3isgoinggreat.com/?id=compound-dao-governance-attackretrieved 2026-04-28
URL
https://www.theblock.co/post/307943/24-million-compound-finance-proposal-passed-by-whale-over-dao-objectionsretrieved 2026-04-28

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol compound-v3 factor RD-F-039 score red collected_at 2026-04-28 00:20:50