★ delegatecall/call in proposal execution without allowlist

Lido's assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Aragon CallsScript executor uses call() (not delegatecall). Uses blacklist approach, not positive allowlist — any non-blacklisted address can be targeted by passed proposals. No delegatecall vector. Practical attack requires 5% quorum + 50% support + 5-day vote + 4-day timelock + Dual Governance opposition window.

Sources #

URL
CallsScript.solhttps://github.com/aragon/aragonOS/blob/master/contracts/evmscript/executors/CallsScript.solretrieved 2026-04-28
URL
retrieved 2026-04-28

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lido factor RD-F-039 score yellow collected_at 2026-04-28 13:58:42