defirisk.co
rubric v1.7.0

delegatecall/call in proposal execution without allowlist

Stake DAO's assessment for RD-F-039 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Timelock uses low-level call() NOT delegatecall in execution path. Governance is Snapshot off-chain + multisig signing queueTransaction/executeTransaction — not an on-chain governor with arbitrary proposal payloads. No unconstrained delegatecall in proposal execution identified.

Sources #

  • Governance
    SDGP-66 Governance FrameworkGovernance model: Snapshot proposals executed by DAO multisig (not on-chain arbitrary calldata execution)retrieved 2026-05-16
  • Etherscan
    Stake DAO Timelock — Source CodeTimelock source: executeTransaction uses call() not delegatecall; no proposal-target delegatecall patternretrieved 2026-05-16

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-039 score green collected_at 2026-05-16 12:29:20