★ delegatecall/call in proposal execution without allowlist

Frax Finance's assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

FraxGovernorOmega has both a delegateCallAllowlist and safeAllowlist in its contract (confirmed from Etherscan source). Execute() calls safe.approveHash() on allowlisted Safes — not arbitrary targets. Alpha uses OZ standard call (not delegatecall) for proposal execution. Allowlist existence mitigates the risk. However, allowlist contents were not confirmed via direct on-chain read (JS-rendered tab inaccessible). Yellow not green due to unverified allowlist population.

Sources #

Etherscan
FraxGovernorOmega | EtherscanFraxGovernorOmega 0x953791D7 source code shows delegateCallAllowlist mapping and safeAllowlist mapping; execute() calls safe.approveHash()retrieved 2026-05-17
Docs
Advanced Concepts | Frax FinanceFrax docs: Omega calls safe.approveHash() from Omega under the hood, not arbitrary contract callsretrieved 2026-05-17
Audit
frxGov Security Review — Trail of Bits 2023Trail of Bits frxGov audit 2023-07 covered FraxGovernorOmega execution pathretrieved 2026-05-17

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-039 score yellow collected_at 2026-05-16 20:44:31