delegatecall with user-controlled target

Euler V2's assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

use() modifier in Dispatch.sol performs delegatecall to module addresses, but all module addresses are stored as immutable state variables set in the constructor via DeployedModules struct. Target is NOT user-controlled — it is fixed at deployment. This is the correct pattern and not a vulnerability.

Sources #

GitHub
EVK Dispatch.sol — Module Dispatch PatternDispatch.sol — use() modifier with immutable module addresses confirmedretrieved 2026-05-04

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol euler-v2 factor RD-F-012 score green collected_at 2026-05-04 19:56:06