Assessment reports>Falcon Finance>Discussion>The initialization of StakedUSDf may fail

The initialization of StakedUSDf may fail

The USDfSilo contract's initialize function calls to set the _stakingVault address using silo_.setStakingVault().

However, since setStakingVault can be invoked by any caller before the initialization, this may lead to a failed contract initialization.

contract StakedUSDf is IStakedUSDf, AccessControlUpgradeable, ERC20PermitUpgradeable, ERC4626Upgradeable {
    // [...]
    function initialize(
        IERC20 usdf,
        address admin,
        USDfSilo silo_,
        uint32 initialVesting,
        uint24 initialCooldown
    )
        external
        initializer
    {
        // [...]

        silo = silo_;
        silo_.setStakingVault();
    }
    // [...]
}
contract USDfSilo {
    // [...]
    constructor(address usdf) {
        _USDF = IERC20(usdf);
    }
    // [...]
    function setStakingVault() external {
        require(_stakingVault == address(0), AlreadySet());
        _stakingVault = msg.sender;
    }
    // [...]
}

Falcon provided the following response:

we already deployed the contracts successfully and the issue is not relevant anymore.

Zellic © 2025Back to top ↑