defirisk.co
rubric v1.7.0

delegatecall/call in proposal execution without allowlist

Liquid Collective (LsETH)'s assessment for RD-F-039 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No on-chain Governor or proposal execution contract exists. The Firewall.sol contract routes executor calls to a single immutable destination address with a per-function-selector allowlist (executorCanCall mapping). No delegatecall with proposal-supplied targets. No proposal execution path with arbitrary call targets. Not applicable by construction.

Sources #

  • Internal
    Data cache — no on-chain governor address.research/protocols/liquid-collective/00-data-cache.json §sources.governance.governor_address=nullretrieved 2026-05-16
  • GitHub
    Firewall.sol — single immutable destination, no arbitrary delegatecallliquid-collective/liquid-collective-protocol/blob/main/contracts/src/Firewall.sol — immutable destination, executorCanCall allowlistretrieved 2026-05-17

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-039 score not_applicable collected_at 2026-05-16 19:46:23