Arbitrary call with user-controlled target

Hyperlane's assessment for RD-F-013 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Mailbox.process() calls recipient.handle() where recipient address is derived from the message payload — i.e., the message sender picks the recipient. No target allowlist or selector filter is enforced. This is architecturally inherent for a messaging protocol (the purpose is to route messages to arbitrary recipient contracts) but matches the 'arbitrary call with message-controlled target' pattern. Yellow: design-inherent risk, not a coding mistake.

Sources #

GitHub
Mailbox.sol — process() functionMailbox.sol process() — recipient.handle() called with message-derived recipient address; no allowlistretrieved 2026-05-17

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-013 score yellow collected_at 2026-05-16 23:03:56