Description

The StakingRewardsDistributor contract is designed to hold USDf tokens until they are transferred as rewards to the STAKING_VAULT contract. However, this contract also supports the rescueTokens function, which allows withdrawing mistakenly transferred tokens or native tokens.

The issue is that there is no validation in rescueTokens to ensure that the withdrawn token is not USDf. As a result, reward tokens can also be withdrawn using this function.

function rescueTokens(
    address _token,
    address _to,
    uint256 _amount
)
    external
    nonReentrant
    onlyRole(DEFAULT_ADMIN_ROLE)
{
    // [...]

    if (_token == _ETH_ADDRESS) {
        // [...]
    } else {
        IERC20(_token).safeTransfer(_to, _amount);
    }
    
    // [...]
}

Impact

The reward USDf tokens can be unintentionally withdrawn from the contract, potentially affecting the reward-distribution mechanism.

Recommendations

Add a validation check in the rescueTokens function to ensure that _token does not match the address of USDf token, preventing reward-token withdrawals.

Remediation

Falcon provided the following response:

We believe this is an intentional design choice. The ability for the admin to withdraw any tokens, including USDf, provides necessary flexibility for emergency situations or when funds need to be reallocated. This admin privilege is part of our trust model and will be clearly documented for users. Since the function is protected by the DEFAULT_ADMIN_ROLE, only trusted administrators can execute it, mitigating the risk of misuse.