Arbitrary call with user-controlled target

Liquity V1 + V2 (LUSD / BOLD)'s assessment for RD-F-013 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core v2 contracts make external calls only to fixed-address contract references (boldToken, activePool, collToken) set at deployment and immutable thereafter. Recon found a flashloan callback issue in peripheral Zapper contracts (not core) which was resolved in subsequent audit rounds. No arbitrary user-controlled call target in core contracts.

Sources #

GitHub
Liquity v2 StabilityPool.sol sourcev2 StabilityPool source — external calls only to fixed contract referencesretrieved 2026-05-16
Audit
Bold Protocol Security Review (Recon/GalloDaSballo)Recon review: Zapper flashloan callback issue (not core) resolved in subsequent roundsretrieved 2026-05-16

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquity factor RD-F-013 score green collected_at 2026-05-16 10:35:50