delegatecall with user-controlled target

Lombard Finance's assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No delegatecall with user-controlled target found in examined contracts. TransparentUpgradeableProxy uses delegatecall internally but target is admin-controlled (ProxyAdmin / TimelockController). Consortium.sol: no delegatecall. BridgeV2.sol: no delegatecall found. NativeLBTC.sol: standard ERC-20 operations, no delegatecall. Full repository scan was not performed — confidence medium because peripheral contracts (PMM, StakeAndBake, GMP) were not exhaustively reviewed.

Sources #

GitHub
BridgeV2.sol sourceBridgeV2.sol: no delegatecall detectedretrieved 2026-05-05
GitHub
Consortium.sol sourceConsortium.sol: no delegatecall detectedretrieved 2026-05-05

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lombard factor RD-F-012 score green collected_at 2026-05-05 12:03:08