defirisk.co
rubric v1.7.0

delegatecall with user-controlled target

Stake DAO's assessment for RD-F-012 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No published static analysis. LaPoste uses delegatecall to a hardcoded implementation — not user-controlled. No architectural evidence of user-controlled delegatecall. Slither run needed for comprehensive coverage across all strategy contracts.

Sources #

  • Etherscan
    LaPoste Proxy Etherscan SourceLaPoste proxy 0xF0000058000021003E4754dCA700C766DE7601C2 — custom proxy to fixed implementationretrieved 2026-05-16

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-012 score gray collected_at 2026-05-16 12:29:20