Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Falcon Finance>Informational findings>Function ,updateDurationSettings, allows resetting ,totalLiquidity, and ,feeGrowthX128
GeneralOverview
Findings
Medium (1)
Low (1)
Informational (4)The rescueTokens does not validate that the token does not match USDf tokenFunction updateDurationSettings allows resetting totalLiquidity and feeGrowthX128Account restrictions can be bypassed in StakedUSDf contractThe setVestingPeriod may relock previously released assets
DiscussionThe initialization of StakedUSDf may failThe vestingPeriod and cooldownDuration can be set to zero simultaneously
Threat ModelWhat are threat models?ClassicMinterV1.solFalconBundler.solFalconPosition.solPreCollateralizedMinter.solStakedUSDf.solUSDfSilo.sol
Audit ResultsAssessment Results
Category: Business Logic

Function updateDurationSettings allows resetting totalLiquidity and feeGrowthX128

Informational Impact
Informational Severity
N/A Likelihood

Description

The FalconPosition contract supports different staking durations, and using the updateDurationSettings function, a caller with the DEFAULT_ADMIN_ROLE can enable a new duration or disable an already supported one.

If the provided duration is not yet supported, the _durationInfo mapping will be updated with a new DurationInfo object, initializing totalLiquidity and feeGrowthX128 to zero. The totalLiquidity variable tracks the current immature liquidity for the specified duration, while feeGrowthX128 serves as an accumulator for fees per duration. 

function updateDurationSettings(
    uint256 duration,
    bool isSupported,
    bool mintEnabled
)
    external
    onlyRole(DEFAULT_ADMIN_ROLE)
{
    // If duration wasn't previously supported, require mintEnabled to be false
    if (!_durationInfo[duration].isSupported && isSupported) {
        require(duration > 0, InvalidDuration());
        _durationInfo[duration] =
            DurationInfo({isSupported: true, mintEnabled: mintEnabled, totalLiquidity: 0, feeGrowthX128: 0});
    } else {
        _durationInfo[duration].isSupported = isSupported;
        _durationInfo[duration].mintEnabled = mintEnabled;
    }

    emit DurationUpdated(duration, isSupported, mintEnabled);
}

However, if the updateDurationSettings function is used to temporarily disable a specified duration and enable it again, the existing totalLiquidity and feeGrowthX128 values will be reset to zero.

Impact

Resetting totalLiquidity and feeGrowthX128 to zero will lock withdrawal and reward-collection functionalities for all currently immature positions associated with the specified duration, making these actions impossible to perform. However, since this function is controlled by a DEFAULT_ADMIN_ROLE and is not intended to be used for disabling previously activated durations, the impact of this issue is classified as Informational.

Recommendations

We recommend adding a verification step to check whether the duration has been previously supported and ensuring that existing totalLiquidity and feeGrowthX128 values are not reset when temporarily disabling a duration.

Remediation

This issue has been acknowledged by Falcon, and a fix was implemented in commit 82d42cb8.

Zellic © 2025Back to top ↑