delegatecall with user-controlled target

Liquid Collective (LsETH)'s assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Source inspection found no user-controlled delegatecall in River.1.sol, Oracle.1.sol, OperatorsRegistry.1.sol, or RedeemManager.1.sol. TUPProxy uses standard OZ TransparentUpgradeableProxy delegatecall to fixed implementation address. No user-supplied delegatecall target found.

Sources #

GitHub
OperatorsRegistry.1.sol — Liquid CollectiveOperatorsRegistry.1.sol source — no delegatecallretrieved 2026-05-17
GitHub
River.1.sol — Liquid CollectiveRiver.1.sol source — no user-controlled delegatecallretrieved 2026-05-17

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-012 score green collected_at 2026-05-16 19:46:23