Arbitrary call with user-controlled target

M^0's assessment for RD-F-013 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

MinterGateway external calls target only known immutable addresses (mToken, ttgVault, validator addresses). No arbitrary call(user-supplied-target, user-supplied-data) pattern in core contracts. SwapFacility covered by ChainSecurity/Certora M-Extensions audits Jul-Aug 2025.

Sources #

URL
ChainSecurity M-Zero M Extensions AuditChainSecurity M-Extensions audit coverageretrieved 2026-05-16
GitHub
MinterGateway.sol sourceMinterGateway.sol — external calls to known addresses onlyretrieved 2026-05-16

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol m0 factor RD-F-013 score green collected_at 2026-05-16 09:46:19