Arbitrary call with user-controlled target

BENQI's assessment for RD-F-013 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Compound V2 pattern confines external calls to well-defined interfaces: oracle (PriceOracle), interest rate model (InterestRateModel), and token (ERC-20). No arbitrary user-controlled external call target identified in the inspected public source files. However, the Isolated Markets contracts (private repo, Moonwell-lineage) cannot be fully inspected, and tool confirmation (Slither arbitrary-send-eth detector) has not been run. Yellow: no finding identified in inspected source, but cannot affirmatively confirm clean for all contracts.

Sources #

GitHub
Comptroller.sol — external call analysisComptroller.sol and QiToken.sol source review — external calls limited to oracle and interest rate model interfacesretrieved 2026-05-16

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol benqi factor RD-F-013 score yellow collected_at 2026-05-16 11:02:12