defirisk.co
rubric v1.7.0

Arbitrary call with user-controlled target

Jupiter's assessment for RD-F-013 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The EVM .call(target, data) pattern is not present on Solana, but analogous CPI-based arbitrary invocation risk exists. Closed-source binary prevents source inspection to verify CPI safety. Gray — conceptual risk exists but factor as defined is EVM-specific and source is unavailable.

Sources #

  • Curator note
    process-learnings.md §Non-EVM / L1-nativeNon-EVM template: closed-source binary prevents source inspection for CPI patternsretrieved 2026-04-29

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol jupiter factor RD-F-013 score gray collected_at 2026-04-29 11:51:25