★ delegatecall/call in proposal execution without allowlist

Curve Finance's assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Aragon EVMScript executor uses runScript() which performs calls (and potentially delegatecall) to target contracts. No explicit on-chain target allowlist in curve-aragon-voting Voting.sol. Governance guard is the 7-day vote + 30% quorum + 51% support requirement — social/economic guard, not cryptographic allowlist. Execution script must pass governance; veCRV lock requirement makes rapid exploitation difficult but not impossible given Convex concentration.

Sources #

Docs
Curve DAO: Governance and Votingcurve.readthedocs.io/dao-voting.html — governance script execution mechanismretrieved 2026-04-28
GitHub
curve-aragon-voting Voting.sol — execution logicgithub.com/curvefi/curve-aragon-voting/blob/master/contracts/Voting.sol — runScript() function, no target allowlistretrieved 2026-04-28

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-039 score yellow collected_at 2026-04-28 19:48:40