★ delegatecall/call in proposal execution without allowlist

Maple Finance's assessment for RD-F-039 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GovernorTimelock executeProposals uses call() on proposal-supplied target with no on-chain target allowlist. Any contract can be targeted with arbitrary calldata after 1-day delay. Proposer gated to daoMultisig but no target restriction.

Detail #

The GovernorTimelock at 0x2eFFf88747EB5a3FF00d4d8d0f0800E306C0426b uses low-level call() in its executeProposals function with no enumerated allowlist of permitted target contracts. This is the Beanstalk-class unconstrained governance executor pattern. The 1-day timelock + securityAdmin canceller provide partial mitigation but do not eliminate the risk: a compromised 4-of-7 daoMultisig can queue a malicious proposal to drain protocol funds if the protocol's contracts allow such calls.

Sources #

Etherscan
https://etherscan.io/address/0x2eFFf88747EB5a3FF00d4d8d0f0800E306C0426b#coderetrieved 2026-04-27
Audit
https://github.com/maple-labs/maple-core-v2/blob/main/audits/2025-sept-governor-timelock/0xMacro-Maple-Finance-timelock-Sept-2025.pdfretrieved 2026-04-27

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol maple-finance factor RD-F-039 score red collected_at 2026-04-27 05:38:08