Account restrictions can be bypassed in StakedUSDf contract
Description
The StakedUSDf contract is an ERC-4626 vault implementation that supports account restrictions for the owners of sUSDf share tokens, preventing these accounts from depositing or withdrawing assets. However, since sUSDf tokens are transferable and the contract does not verify whether the initiator of a token transfer is currently restricted, this allows for effectively bypassing these restrictions.
function _deposit(address caller, address receiver, uint256 assets, uint256 shares) internal override {
[...]
_checkRestricted(caller);
_checkRestricted(receiver);
[...]
}
function _withdraw(address caller, address receiver, address owner, uint256 assets, uint256 shares)
internal
override
{
[...]
_checkRestricted(caller);
_checkRestricted(receiver);
_checkRestricted(owner);
[...]
}
Impact
Restricted accounts may still transfer sUSDf tokens, which could allow them to bypass withdrawal restrictions. However, since there is no intention or plan to restrict transfers of sUSDf tokens for compliance or operational purposes, the impact of this issue is classified as Informational.
Recommendations
We recommend implementing a validation check within the transfer logic to ensure that restricted accounts cannot initiate token transfers.
Remediation
This issue has been acknowledged by Falcon, and a fix was implemented in commit 88d224fa↗.