defirisk.co
rubric v1.7.0

delegatecall with user-controlled target

Dolomite's assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No user-controlled delegatecall target found in core DolomiteMargin contracts inspected. Core is non-upgradeable/immutable (constructor-based init, no proxy). Module proxy contracts (ExpiryProxy etc.) use admin-controlled upgrade patterns. The legacy exploit (2024) was on the old 2019 contract, not v2.

Sources #

  • GitHub
    DolomiteMargin OperationImpl.solOperationImpl.sol: no delegatecall with user-controlled target (library for deposits/withdrawals/trades)retrieved 2026-05-16

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dolomite factor RD-F-012 score green collected_at 2026-05-16 11:12:56