The rescueTokens
does not validate that the token does not match USDf token
Description
The StakingRewardsDistributor contract is designed to hold USDf tokens until they are transferred as rewards to the STAKING_VAULT contract. However, this contract also supports the rescueTokens
function, which allows withdrawing mistakenly transferred tokens or native tokens.
The issue is that there is no validation in rescueTokens
to ensure that the withdrawn token is not USDf. As a result, reward tokens can also be withdrawn using this function.
function rescueTokens(
address _token,
address _to,
uint256 _amount
)
external
nonReentrant
onlyRole(DEFAULT_ADMIN_ROLE)
{
// [...]
if (_token == _ETH_ADDRESS) {
// [...]
} else {
IERC20(_token).safeTransfer(_to, _amount);
}
// [...]
}
Impact
The reward USDf tokens can be unintentionally withdrawn from the contract, potentially affecting the reward-distribution mechanism.
Recommendations
Add a validation check in the rescueTokens
function to ensure that _token
does not match the address of USDf token, preventing reward-token withdrawals.
Remediation
Falcon provided the following response:
We believe this is an intentional design choice. The ability for the admin to withdraw any tokens, including USDf, provides necessary flexibility for emergency situations or when funds need to be reallocated. This admin privilege is part of our trust model and will be clearly documented for users. Since the function is protected by the DEFAULT_ADMIN_ROLE, only trusted administrators can execute it, mitigating the risk of misuse.