delegatecall with user-controlled target

Across Protocol's assessment for RD-F-012 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

HubPool uses `delegatecall` to chain adapters (Arbitrum_Adapter, Ovm_SpokePool adapters, etc.) for relaying tokens and messages cross-chain. The delegatecall target is the adapter address stored in the HubPool's internal chain adapter mapping — not directly user-supplied at call time. The adapter address is set by the HubPool owner (Across Council multisig). The Oct 2024 OZ audit found "malformed delegatecall in SpokePool's fill function" as a finding that was resolved. Design-level: HubPool'...

Sources #

URL
https://www.openzeppelin.com/news/across-auditretrieved 2026-04-28
GitHub
https://github.com/across-protocol/contracts/blob/master/contracts/hub-pool/HubPool.solretrieved 2026-05-06

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol across-protocol factor RD-F-012 score yellow collected_at 2026-04-30 21:19:18