defirisk.co
rubric v1.7.0

delegatecall/call in proposal execution without allowlist

crvUSD (Curve Stablecoin)'s assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Curve Ownership Agent (0x40907540d8a6C65c637785e8f8B742ae6b0b9968) is an Aragon Agent that executes arbitrary calls after successful vote — no explicit target allowlist. This is the standard Aragon design. Mitigating factors: 7-day veCRV vote window allows community detection of malicious proposals; veCRV lock prevents flash-loan quorum manipulation; Emergency DAO can kill gauges. Structural risk is real but materially mitigated vs. typical Compound-Governor-without-allowlist setup. Graded yellow per curve-v2 precedent.

Sources #

  • Etherscan
    Curve Ownership Agent EtherscanOwnership Agent 0x40907540d8a6C65c637785e8f8B742ae6b0b9968 labeled 'Curve: Ownership Agent' AppProxyUpgradeable on Etherscanretrieved 2026-05-16
  • URL
    Curve DAO Aragon governanceAragon Agent execute() allows arbitrary calls by design; no target allowlist in Aragon standard designretrieved 2026-05-16

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-039 score yellow collected_at 2026-05-16 19:09:40