★ delegatecall/call in proposal execution without allowlist

Fluid's assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

InstaTimelock executes via call (not delegatecall). No target allowlist on Governor Bravo or InstaTimelock. But this governance covers only the legacy INST system — Fluid protocol upgrades bypass all governance and execute directly via Avocado admin, so there is no proposal execution path at all for Fluid contracts. No allowlist anywhere in the upgrade chain.

Sources #

Etherscan
InstaTimelock: 2-day delay, admin = InstaGovernorBravoDelegator — governs INST layer only0xC7Cb1dE2721BFC0E0DA1b9D526bCdC54eF1C0eFCretrieved 2026-04-29
Etherscan
InstaGovernorBravo impl: call-based execution, no allowlist; governs INST layer only, not Fluid0x00613F7E762124711c7647f9eab5c8a88632ee47retrieved 2026-04-29

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol fluid factor RD-F-039 score yellow collected_at 2026-04-29 10:35:01