Arbitrary call with user-controlled target

Convex Finance's assessment for RD-F-013 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No user-controlled arbitrary call target found. ClaimZap makes calls only to hardcoded addresses. BoosterOwner.execute() is owner-only. VoterProxy.execute() is Booster-operator-only. No path found where a user can supply an arbitrary call target in any Convex core contract.

Sources #

Docs
Convex Finance: Multisig Admin Rights (confirms admin-only for sensitive calls)Convex multisig admin rightsretrieved 2026-05-16
GitHub
Convex ClaimZap.sol source (no user-controlled call targets)ClaimZap.sol - calls to hardcoded addresses onlyretrieved 2026-05-16

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-013 score green collected_at 2026-05-16 02:41:28