defirisk.co
rubric v1.7.0

delegatecall/call in proposal execution without allowlist

Liquity V1 + V2 (LUSD / BOLD)'s assessment for RD-F-039 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2 Governance calls initiatives via safeCallWithMinGas() with specific function selectors — not arbitrary delegatecall to proposal-supplied targets. multiDelegateCall() is an internal batching utility for user-facing batch operations (depositLQTY + allocateLQTY combinations), not an arbitrary proposal execution path with attacker-supplied targets. No target allowlist needed because call targets are registered initiative addresses, not proposal payloads.

Sources #

  • GitHub
    Liquity V2-gov GitHub RepositoryV2-gov GitHub: initiative calls use fixed selectors; no arbitrary delegatecall to proposal-supplied targetsretrieved 2026-05-16
  • Etherscan
    Liquity v2 Governance Contract — EtherscanGovernance.sol 0x807def5e7d057df05c796f4bc75c3fe82bd6eee1 verified source — safeCallWithMinGas() pattern for initiative calls; multiDelegateCall() scoped to internal governance functionsretrieved 2026-05-16

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquity factor RD-F-039 score green collected_at 2026-05-16 10:35:50