★ delegatecall/call in proposal execution without allowlist

Pendle Finance's assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★] No on-chain governor executes arbitrary proposal payloads. However, ActionMiscV3.sol simulate() executes target.delegatecall(data) with user-supplied target, then invariably reverts. The revert ensures no state change. Latent risk: if a future upgrade removes the revert, this becomes an open delegatecall. Currently yellow, not red, due to always-revert pattern.

Sources #

GitHub
ActionMiscV3.sol — simulate functionActionMiscV3.sol simulate() function: target.delegatecall(data); revert Errors.SimulationResults(success, result)retrieved 2026-04-29

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pendle factor RD-F-039 score yellow collected_at 2026-04-28 21:09:40