Arbitrary call with user-controlled target

QuickSwap's assessment for RD-F-013 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Standard AMM external calls: V2 makes safeTransfer calls to token contracts (fixed at pair creation, not user-supplied targets). V3 Algebra core: C4 M-04 flags safeTransfer lacks ERC20 contract existence check (call to token address, not a user-supplied arbitrary target). No fully user-controlled call(target, data) pattern identified in core contracts across any audit findings.

Sources #

Audit
Code4rena 2022-09 QuickSwap ReportC4 M-04 — safeTransfer lacks existence check (token address calls, not user-controlled target)retrieved 2026-05-16

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol quickswap factor RD-F-013 score green collected_at 2026-05-16 08:48:31