★ delegatecall/call in proposal execution without allowlist

Rocket Pool's assessment for RD-F-039 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

pDAO proposal execution targets a single hardcoded contract: getContractAddress('rocketDAOProtocolProposals'). This is an effective target allowlist of one permitted contract. No user-supplied delegatecall target. RocketDAOProtocolProposals contract exposes only governance settings, treasury, and Security Council management functions — all restricted by onlyExecutingContracts() modifier.

Sources #

GitHub
RocketDAOProtocolProposals.solRocketDAOProtocolProposals.sol: onlyExecutingContracts modifier restricts callsitesretrieved 2026-05-04
GitHub
RocketDAOProtocolProposal.solRocketDAOProtocolProposal.sol: call to getContractAddress('rocketDAOProtocolProposals') onlyretrieved 2026-05-04

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol rocket-pool factor RD-F-039 score green collected_at 2026-05-04 15:40:28