defirisk.co
rubric v1.7.0

delegatecall with user-controlled target

PancakeSwap's assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V3 Pool source inspection: no user-controlled delegatecall. Callbacks (IPancakeV3MintCallback, IPancakeV3SwapCallback) are external calls to user-supplied addresses for flash repayment, not delegatecall — standard Uniswap V3 pattern. V2 Pair: no delegatecall. Infinity adapters use SafeCallback pattern. No auditor-reported user-controlled delegatecall across 6 firms.

Sources #

  • GitHub
    PancakeV3Pool.solV3 Pool source — callback pattern, no delegatecallretrieved 2026-04-29

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pancakeswap factor RD-F-012 score green collected_at 2026-04-28 19:10:57