Arbitrary call with user-controlled target

Uniswap (v2 + v3)'s assessment for RD-F-013 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V3: Pool uses typed callback interfaces (IUniswapV3MintCallback, IUniswapV3SwapCallback, IUniswapV3FlashCallback) — no generic call(target, data) with user-controlled target. Callback target is msg.sender. V2: Flash swap calls IUniswapV2Callee(to).uniswapV2Call() on transaction-supplied `to` — intentional by design, same address that initiated the swap. Green.

Detail #

V3 core uses typed callback interfaces with fixed function signatures — the external call always goes to msg.sender of the initiating transaction via a specific typed interface. V2 UniswapV2Pair.swap() calls the `to` address with the IUniswapV2Callee interface if it's a flash swap callback — this is an intentional design where the callback address is supplied by the caller but the callback function selector is fixed. Neither version implements a free-form .call(target, data) with user-controlled target and data.

Sources #

GitHub
UniswapV3Pool.sol — IUniswapV3MintCallback/SwapCallback/FlashCallback patternUniswapV3Pool.sol typed callback interfacesretrieved 2026-05-12
GitHub
UniswapV2Pair.sol — IUniswapV2Callee typed interface for flash swapUniswapV2Pair.sol flash swap callbackretrieved 2026-05-12

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-013 score green collected_at 2026-05-12 10:36:11