SELFDESTRUCT reachable from non-admin path

Axelar Network's assessment for RD-F-011 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

AxelarGateway.sol contains depositHandler.destroy() calling selfdestruct on the ephemeral DepositHandler, which is deployed and destroyed in the same transaction (CREATE2 pattern, EIP-6780 compatible). DepositHandler destroy() is owner-restricted (onlyOwner). The gateway implementation itself has no SELFDESTRUCT reachable from non-admin paths. No SELFDESTRUCT in core path.

Sources #

URL
C4 2022-04 DepositHandler Selfdestruct FindingCode4rena 2022-04 finding #19 re: DepositHandler selfdestruct - onlyOwner access control confirmedretrieved 2026-05-17
GitHub
AxelarGateway Source - burnToken and DepositHandlerAxelarGateway.sol lines 500-700 burnToken function with depositHandler.destroy()retrieved 2026-05-17

Methodology #

Determine whether any deployed contract contains the SELFDESTRUCT opcode in a code path reachable from a non-admin caller.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-011 score green collected_at 2026-05-16 21:57:49