Arbitrary call with user-controlled target

deBridge's assessment for RD-F-013 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CallProxy.sol implements `call()` and `callERC20()` which accept user-supplied `_receiver` (target address) and `_data` (calldata) with no target allowlist beyond an `isContract()` check. These functions are restricted to `DEBRIDGE_GATE_ROLE` callers only, so direct user access is gated. However, the DeBridgeGate's `claim()` function passes user-decoded `_autoParams.data` directly to CallProxy — meaning the ultimate target and calldata are user-controlled, albeit routed through an ACL-control...

Sources #

GitHub
https://github.com/debridge-finance/debridge-contracts-v1/blob/main/contracts/periphery/CallProxy.solretrieved 2026-04-28
GitHub
https://github.com/debridge-finance/debridge-securityretrieved 2026-04-28

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol debridge factor RD-F-013 score yellow collected_at 2026-04-28 01:27:58