★ delegatecall/call in proposal execution without allowlist

Orca's assessment for RD-F-039 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Orca uses SPL Governance on Solana (non-EVM). The delegatecall/call proposal-execution attack surface does not exist on Solana — proposal execution invokes authorized Solana program instructions with typed accounts, not arbitrary EVM calldata with arbitrary targets. Structural N/A by architecture.

Sources #

GitHub
https://raw.githubusercontent.com/solana-labs/solana-program-library/master/governance/program/src/processor/process_execute_transaction.rsretrieved 2026-05-16
Internal
SOLANA_GOVERNANCE.md — non-EVM architecture N/A determinationSOLANA_GOVERNANCE.md — Solana BPFLoaderUpgradeable architecture; no delegatecall concept on SVMretrieved 2026-05-16

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol orca factor RD-F-039 score not_applicable collected_at 2026-05-16 02:39:16