defirisk.co
rubric v1.7.0

delegatecall/call in proposal execution without allowlist

stHYPE (Valantis Labs)'s assessment for RD-F-039 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No on-chain Governor or proposal-execution contract exists. Safe executes transactions directly via execTransaction with explicit to/value/data/operation params; there is no proposal execution path. delegatecall/call in proposal payload is not an applicable attack vector.

Sources #

  • Internal
    Pipeline data cache00-data-cache.json governance.governor_address: nullretrieved 2026-05-17
  • Tx
    HyperEVMScan — April 2026 upgrade txhyperevmscan.io tx 0x11482a6a — Safe.execTransaction(to=0xE7B0f26E, ...) directly; no Governor contract in call chainretrieved 2026-05-17

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol staked-hype factor RD-F-039 score not_applicable collected_at 2026-05-17 13:02:38