defirisk.co
rubric v1.7.0

Arbitrary call with user-controlled target

Kamino Lend's assessment for RD-F-013 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

EVM arbitrary .call(target, data) pattern does not exist in Solana BPF. Anchor CPIs use explicit account constraints. Factor N/A.

Detail #

Solana programs cannot make arbitrary external calls to user-supplied addresses; CPIs are constrained by account validation at the runtime level.

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol kamino-lend factor RD-F-013 score not_applicable collected_at 2026-04-30 21:19:16