★ delegatecall/call in proposal execution without allowlist

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-039 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No active on-chain Governor or proposal executor using delegatecall or call with user-supplied targets. Governance is off-chain Snapshot + Ops Multisig execution. The legacy Timelock (0x9a8541...) is inactive since 2020-09-27. No proposal payload executed via delegatecall exists in current architecture. N/A by architecture.

Sources #

Internal
00-profile.md §6Profile §6 — 'No active on-chain Governor contract'retrieved 2026-05-17
Etherscan
Sushi: Timelock — Etherscan (inactive)Legacy Timelock — inactive, last tx 2020-09-27; no current Governor contract foundretrieved 2026-05-17

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-039 score green collected_at 2026-05-16 19:50:37