★ delegatecall/call in proposal execution without allowlist

Venus Protocol's assessment for RD-F-039 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Timelock.sol executeTransaction uses call (not delegatecall): target.call.value(value)(callData). No target allowlist enforced. Any address can be called if a VIP passes. The call pattern (not delegatecall) means execution context is the target contract's storage, limiting self-referential damage. Combined with the 1-hour Critical VIP window and guardian cancel capability, assessed as yellow. Not red because delegatecall is the catastrophic variant (Beanstalk class).

Sources #

GitHub
Timelock.sol — target.call.value(value)(callData); no allowlist; call not delegatecallTimelock.sol executeTransactionretrieved 2026-04-28

Methodology #

Determine whether the governance executor contract uses `delegatecall` or `call` with proposal-supplied target, without enforcing an allowlist of permitted targets.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-039 score yellow collected_at 2026-04-28 18:30:49