★ delegatecall/call in proposal execution without allowlist

Aerodrome Finance's assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two governor contracts: (1) EpochGovernor (GovernorSimple) has strict minter-only allowlist â€” can only call IMinter.nudge(); low risk. (2) ProtocolGovernor (VetoGovernor) uses regular call() â€” not delegatecall â€” with no target allowlist; arbitrary external calls possible on successful proposals. Vetoer (team multisig) can cancel malicious proposals pre-execution. No delegatecall storage collision risk. Moderate arbitrary-call risk via ProtocolGovernor.

Sources #

GitHub
GovernorSimple.sol â€” minter-only allowlist for EpochGovernorGovernorSimple.sol â€” strict allowlist: only minter target, only nudge() selectorretrieved 2026-05-04
GitHub
VetoGovernor.sol â€” call() without allowlistVetoGovernor.sol â€” targets[i].call{value: values[i]}(calldatas[i]); no allowlist checkretrieved 2026-05-04

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aerodrome factor RD-F-039 score yellow collected_at 2026-05-04 19:56:03