★ delegatecall/call in proposal execution without allowlist
M^0's assessment for RD-F-039 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
All three governors (StandardGovernor, EmergencyGovernor, ZeroGovernor) enforce strict allowlists. Each governor's execute() calls only itself (no external target). _revertIfInvalidCalldata() rejects any selector not in a hardcoded list of 5 permitted functions. No delegatecall or user-supplied external target is possible.
Sources #
- GitHubEmergencyGovernor.sol — m0-foundation/ttg GitHubEmergencyGovernor: whitelisted functions only; _revertIfInvalidCalldata() enforcementretrieved 2026-05-16
- StandardGovernor.sol — m0-foundation/ttg GitHubStandardGovernor: self-targeting + 5-function allowlist (addToList, removeFromList, removeFromAndAddToList, setKey, setProposalFee)retrieved 2026-05-16
- ZeroGovernor.sol — m0-foundation/ttg GitHubZeroGovernor: 5-function allowlist (resetToPowerHolders, resetToZeroHolders, setCashToken, setEmergencyProposalThresholdRatio, setZeroProposalThresholdRatio)retrieved 2026-05-16
Methodology #
Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol m0 factor RD-F-039 score green collected_at 2026-05-16 09:46:19