defirisk.co
rubric v1.7.0

delegatecall/call in proposal execution without allowlist

Save (formerly Solend)'s assessment for RD-F-039 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Save/Solend governance runs on Solana via Realms/SPL governance (BPF program). The EVM delegatecall/call pattern in Governor Bravo/OpenZeppelin Governor proposal execution does not exist in Solana BPF architecture. Solana does not have delegatecall; CPI (cross-program invocation) is structurally different. This factor is structurally inapplicable to this Solana-native protocol.

Sources #

  • Internal
    SOLANA_GOVERNANCE.md — Solana BPF vs EVM architectureSOLANA_GOVERNANCE.md — Solana BPF architecture vs EVM; process-learnings.md §Non-EVM pre-marksretrieved 2026-05-17

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol save factor RD-F-039 score not_applicable collected_at 2026-05-17 15:20:15