★ delegatecall/call in proposal execution without allowlist

Axelar Network's assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

InterchainGovernance executeProposal(address target, bytes callData, uint256 nativeValue) uses external call (NOT delegatecall) on proposal-supplied target. No target allowlist — only check is if (target == address(0)) revert. Unconstrained arbitrary call after 7-day timelock + validator quorum passage. Mitigating factors: (1) call not delegatecall limits proxy-storage-manipulation exploit class; (2) 7-day observation window; (3) ≥2/3 validator quorum required.

Sources #

Audit
Code4rena 2023-07 Axelar Audit ReportCode4rena 2023-07-axelar: InterchainGovernance in scope; no delegatecall finding at high severityretrieved 2026-05-17
GitHub
InterchainGovernance.sol — axelar-gmp-sdk-solidityaxelar-gmp-sdk-solidity InterchainGovernance.sol: executeProposal uses _call(target, callData, nativeValue) — external call, no allowlistretrieved 2026-05-17

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-039 score yellow collected_at 2026-05-16 21:57:49