delegatecall with user-controlled target

crvUSD (Curve Stablecoin)'s assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Vyper raw_call with is_delegate_call pattern is the equivalent of Solidity delegatecall. Source review of Controller.vy and AMM.vy (master branch) found no delegatecall pattern with user-controlled target. The arbitrary callback vulnerability (MixBytes Critical #1) was fixed pre-deploy. Static analysis tool unavailable for Vyper; marked green on manual source review basis.

Sources #

GitHub
curve-stablecoin controller.vy — GitHubController.vy source review — no user-controlled delegatecall patternretrieved 2026-05-16
URL
Recap of the crvUSD Audit Findings — MixBytesMixBytes blog — Critical Finding 1 (arbitrary callback) fixed pre-deployretrieved 2026-05-16

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-012 score green collected_at 2026-05-16 19:09:40