Description

The StakedUSDf contract is an ERC-4626 vault implementation that supports account restrictions for the owners of sUSDf share tokens, preventing these accounts from depositing or withdrawing assets. However, since sUSDf tokens are transferable and the contract does not verify whether the initiator of a token transfer is currently restricted, this allows for effectively bypassing these restrictions.

function _deposit(address caller, address receiver, uint256 assets, uint256 shares) internal override {
    [...]
    _checkRestricted(caller);
    _checkRestricted(receiver);
    [...]
}

function _withdraw(address caller, address receiver, address owner, uint256 assets, uint256 shares)
    internal
    override
{
    [...]
    _checkRestricted(caller);
    _checkRestricted(receiver);
    _checkRestricted(owner);
    [...]
}

Impact

Restricted accounts may still transfer sUSDf tokens, which could allow them to bypass withdrawal restrictions. However, since there is no intention or plan to restrict transfers of sUSDf tokens for compliance or operational purposes, the impact of this issue is classified as Informational.

Recommendations

We recommend implementing a validation check within the transfer logic to ensure that restricted accounts cannot initiate token transfers.

Remediation

This issue has been acknowledged by Falcon, and a fix was implemented in commit 88d224fa↗.