defirisk.co
rubric v1.7.0

delegatecall with user-controlled target

Rocket Pool's assessment for RD-F-012 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Source inspection confirms no user-controlled delegatecall. Minipool proxy delegatecalls to admin-registered delegate address. Megapool clones use OZ Clones.cloneDeterministic (EIP-1167 minimal proxy) — not a user-supplied target delegatecall. RocketBase access control gates all call targets via RocketStorage registry.

Sources #

  • GitHub
    RocketMegapoolFactory.solRocketMegapoolFactory.sol — Clones.cloneDeterministic, no user-controlled delegatecallretrieved 2026-05-04
  • GitHub
    RocketBase.solRocketBase.sol — onlyLatestNetworkContract restricts all call targetsretrieved 2026-05-04

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol rocket-pool factor RD-F-012 score green collected_at 2026-05-04 15:40:28