delegatecall with user-controlled target

Centrifuge's assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No delegatecall with user-controlled target found across any inspected Centrifuge V3/V3.1 contract. Gateway.sol uses typed external interface calls. WormholeAdapter.sol calls immutable relayer address. Auth.sol and Root.sol use only standard external calls. No delegatecall pattern identified in any of 22+ audit engagements.

Sources #

Audit
Sherlock Centrifuge V3.1 contest $320K USDCSherlock+Blackthorn V3.1 contest 2025 — no delegatecall finding in public reportretrieved 2026-04-28
Audit
Code4rena Centrifuge Sept 2023 audit reportCode4rena 2023-09 Centrifuge findings (0 high, 8 medium — no delegatecall finding)retrieved 2026-04-28
GitHub
Gateway.sol — no delegatecall foundcentrifuge/protocol Gateway.sol main branchretrieved 2026-04-28
GitHub
WormholeAdapter.sol — immutable relayer, no user-controlled delegatecallcentrifuge/protocol WormholeAdapter.sol main branchretrieved 2026-04-28

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol centrifuge factor RD-F-012 score green collected_at 2026-04-30 21:19:10