Arbitrary call with user-controlled target

Venus Protocol's assessment for RD-F-013 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Timelock.sol uses target.call(callData) without an allowlist — any address can be targeted by queued proposals. However, execution requires full Governor Bravo proposal lifecycle (quorum, voting period, timelock delay), providing economic and temporal friction. This is the standard Compound-style design shared by most major governance systems. Yellow not red due to governance friction layer.

Sources #

GitHub
GovernorBravoDelegate.sol — proposal execution via timelockGovernorBravoDelegate.sol executionretrieved 2026-04-28
GitHub
Timelock.sol — target.call without allowlistGovernorBravo + Timelock execution patternretrieved 2026-04-28

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-013 score yellow collected_at 2026-04-28 18:30:49