defirisk.co
rubric v1.7.0

delegatecall with user-controlled target

Sky Lending (formerly MakerDAO)'s assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core Vat/MCD contracts do not use user-controlled delegatecall. DSPause uses delegatecall for governance spell execution — target is governance-approved executive spell address (48-hour GSM delay). Sherlock #47 multicall issue excluded as invalid by judge.

Sources #

  • Etherscan
    https://etherscan.io/address/0xbE286431454714F511008713973d3B053A2d38f3retrieved 2026-04-27
  • URL
    https://github.com/sherlock-audit/2024-06-makerdao-endgame-judging/issues/47retrieved 2026-04-27

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sky-lending factor RD-F-012 score green collected_at 2026-04-28 00:43:18