defirisk.co
rubric v1.7.0

delegatecall with user-controlled target

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor detects whether any contract in the protocol uses delegatecall where the target address is or can be supplied by an external user without an on-chain allowlist restricting the permissible targets. The assessment is performed by static analysis of the deployed bytecode, specifically looking for DELEGATECALL opcodes preceded by a user-controlled CALLDATALOAD or derived from external input without allowlist enforcement.

**Why it matters** Delegatecall executes external code in the calling contract's storage context. A user-controlled delegatecall target allows an attacker to inject arbitrary logic that reads and writes the calling contract's storage, including modifying ownership, draining funds, or redirecting upgrade authority. Furucombo ($14M, 2021) lost funds when an attacker added Aave's lending pool as a handler in the combo registry, then used a delegatecall to the lending pool's initialize() function to claim ownership of Furucombo and approve fund transfers. The Raft exploit ($3.3M, 2023) involved a similar pattern where delegatecall reached an uninitialized storage slot. This vulnerability class is among the most consistently exploitable in proxy-heavy architectures.

**Green / Yellow / Red** Green: all delegatecall usage is to fixed, hardcoded addresses or to addresses validated against an on-chain allowlist enforced by a multisig or governance process. Yellow: delegatecall targets are restricted by a registry, but the registry itself is modifiable by a single admin key without a timelock. Red: delegatecall target can be supplied directly by an external caller with no on-chain allowlist check.

**Common gray cases** This factor is gray when the protocol's architecture does not use delegatecall at all -- common in simple non-upgradeable protocols. It cannot be assessed when source is unverified.

**Notable historical examples** - **Furucombo** ($14M, 2021): Handler registry allowed attacker-controlled delegatecall target; Aave lending pool initialize() claimed ownership. - **Raft** ($3.3M, 2023): Delegatecall to uninitialized storage slot caused attacker's profit to route to burn address; protocol sunsetted.

Measurement what to look for #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

Data & output #

Data source
Slither `controlled-delegatecall` detector + source review on Etherscan-verified source
Output format
Green / Yellow / Red
Evidence artifact
Slither output JSON + contract + function name if flagged
Confidence signal
green = no user-controlled delegatecall; red = user-controlled delegatecall found without allowlist; gray = source unverified

Scored protocols 80 carry this factor #

Protocol RD-F-012
Aave v3 ethereum green Across Protocol ethereum yellow Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance gray Compound V3 (Comet) ethereum green Concrete ethereum gray Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana not_applicable Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana not_applicable Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum gray Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon green Raydium solana not_applicable Rocket Pool ethereum green Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum gray StakeWise v3 ethereum green Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron green Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum gray Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum yellow
0 red · 3 yellow · 52 green

Linked hacks 2 historical incidents #

causalRaft — Flash loan + collateral inflation via position liquidation → infinite R mint → stablecoin dump2023-11-10 · $3M · Flash loan + collateral inflation via position liquidation → infinite R mint → stablecoin dump · delegatecall with user-controlled target [via cross-hack: Factor 22: Delegatecall-to-Proxy in Handler Registry] || delegatecall with user-controlled target [via cross-hack: Factor 45: Delegatecall Uninitialized Storage Slot]
causalFurucombo — Evil Contract — Delegatecall Storage Collision2021-02-27 · $14M · Evil Contract — Delegatecall Storage Collision · delegatecall with user-controlled target [via cross-hack: Factor 22: Delegatecall-to-Proxy in Handler Registry]
rubric_version v1.7.0 factor RD-F-012 category 1 carried 80 critical no