delegatecall with user-controlled target

Axelar Network's assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

AxelarGateway.sol: the only delegatecall uses tokenDeployer (immutable, set in constructor) as target, not user-supplied. Upgradable.sol upgrade delegatecall is gated by onlyOwner plus code-hash and contractId identity checks. No user-controlled delegatecall target in EVM gateway contracts.

Sources #

GitHub
Upgradable.sol - Upgrade Access ControlUpgradable.sol: upgrade() onlyOwner with identity checksretrieved 2026-05-17
GitHub
AxelarGateway Source - delegatecall analysisAxelarGateway.sol lines 350-500: delegatecall uses immutable tokenDeployerretrieved 2026-05-17

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-012 score green collected_at 2026-05-16 21:57:49