defirisk.co
rubric v1.7.0

delegatecall/call in proposal execution without allowlist

Falcon Finance's assessment for RD-F-039 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No Governor proposal execution path with delegatecall exists. All admin actions flow through the 4-of-6 Safe as direct calls. No arbitrary-target execution surface.

Detail #

No Governor contract. The Safe executes direct calls (not delegatecalls to proposal-supplied targets). The Safe itself uses delegatecall internally to its implementation singleton, but this is the Safe's own fixed implementation, not an arbitrary proposal target. RD-F-039 inapplicable in the current multisig-only architecture.

Sources #

  • Etherscan
    Admin Safe on Etherscanhttps://etherscan.io/address/0x1E482B60bf19Cb1cc859389e0eA3DED153f16Bd7retrieved 2026-05-12

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-039 score green collected_at 2026-05-12 04:06:37