★ delegatecall/call in proposal execution without allowlist

Marinade Finance's assessment for RD-F-039 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Solana SPL-governance uses typed CPI (cross-program invocation) to specific program instruction handlers, not EVM-style delegatecall/call with arbitrary payload. Proposal execution calls defined program instructions through SPL-governance's native mechanism. The arbitrary-target delegatecall attack surface does not exist in Solana's execution model. Factor is N/A as defined but green on the underlying safety property.

Sources #

Docs
Marinade DAO | Marinade DocumentationMarinade DAO docs — Realms governance mechanismretrieved 2026-05-16
URL
https://github.com/solana-labs/solana-program-library/blob/master/governance/program/src/processor/process_execute_transaction.rsretrieved 2026-05-16

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol marinade factor RD-F-039 score green collected_at 2026-05-16 08:48:35