delegatecall with user-controlled target

Yearn Finance's assessment for RD-F-012 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V3 TokenizedStrategy uses delegatecall in the BaseStrategy pattern to a hardcoded, immutable implementation address (TOKENIZED_STRATEGY constant) — not user-supplied. No user-controlled delegatecall identified in vault core or strategy architecture documentation. Cannot fully confirm without Slither on Solidity periphery. Graded yellow (partial evidence, cannot rule out edge cases in all periphery contracts).

Sources #

GitHub
Yearn tokenized-strategy repo — BaseStrategy uses fixed implementation addressyearn/tokenized-strategyretrieved 2026-05-16
URL
Yearn V3 strategy writing guide — immutable TokenizedStrategy delegatecall targetYearn V3 strategy writing guide — delegatecall architectureretrieved 2026-05-16

Methodology #

Determine whether any contract uses `delegatecall` where the target address is or can be user-supplied without an on-chain allowlist.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-012 score yellow collected_at 2026-05-16 08:34:32