Arbitrary call with user-controlled target

Axelar Network's assessment for RD-F-013 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

AxelarGateway execute function dispatches calls to addresses derived from validator-signed command data validated through the AxelarAuthWeighted proof system. Targets are not freely user-supplied without validator-quorum authorization. No direct arbitrary .call(user-target, user-data) pattern identified in EVM gateway.

Sources #

GitHub
AxelarGateway Source - execute function analysisAxelarGateway.sol execute function: validator-signed command validation before dispatchretrieved 2026-05-17

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-013 score green collected_at 2026-05-16 21:57:49