★ delegatecall/call in proposal execution without allowlist

JustLend DAO's assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Timelock executes proposals via target.call() (not delegatecall). GovernorBravoDelegator fallback uses delegatecall internally for routing to implementation — this is the proxy mechanism, not proposal execution. No target allowlist exists: proposals can target any address. Standard Compound-Bravo posture. Risk is mitigated by 600M WJST quorum requirement but not eliminated. Scored yellow not red because call (not delegatecall) limits blast radius to value transfer / external call, not Timelock storage corruption.

Sources #

GitHub
JustLend Timelock.sol — executeTransaction uses callTimelock.sol: (bool success, bytes memory returnData) = target.call.value(value)(callData) — uses call not delegatecall. No target allowlist in executeTransaction.retrieved 2026-05-17
GitHub
JustLend GovernorBravoInterfaces.sol — no target allowlistGovernorBravoInterfaces.sol: Proposal struct contains address[] targets, uint[] values, string[] signatures, bytes[] calldatas — no allowlist on targets field.retrieved 2026-05-17

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol justlend factor RD-F-039 score yellow collected_at 2026-05-17 10:25:32