★ delegatecall/call in proposal execution without allowlist

Convex Finance's assessment for RD-F-039 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No on-chain Governor with arbitrary delegatecall-based proposal execution exists. Snapshot outcomes are executed by the 3-of-5 Safe via standard multisig transactions (not delegatecall payloads). BoosterOwner.execute() uses .call{} (not delegatecall) and blocks calls to the Booster itself. VoterProxy.execute() uses standard .call{}. The execute() blocklist (not allowlist) is weaker but the absence of delegatecall removes the primary attack vector.

Sources #

GitHub
Convex VoterProxy.sol -- GitHub sourceVoterProxy.sol execute(): uses _to.call{value:_value}(_data) standard call, no delegatecallretrieved 2026-05-16
GitHub
Convex BoosterOwner.sol -- GitHub sourceBoosterOwner.sol execute(): uses .call{} not delegatecall; require(_to != booster) single blocklist entryretrieved 2026-05-16

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-039 score green collected_at 2026-05-16 02:41:28