Arbitrary call with user-controlled target

Yearn Finance's assessment for RD-F-013 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No evidence of arbitrary external call with user-controlled target in V3 vault core (Vyper). Strategies call fixed external protocols with addresses set by authorized roles. Cannot fully confirm for all periphery without Slither. Graded yellow on partial evidence.

Sources #

URL
Yearn V3 overview — strategy external call architectureYearn V3 overview — strategy external calls to fixed protocolsretrieved 2026-05-16

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-013 score yellow collected_at 2026-05-16 08:34:32