Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Falcon Finance>Discussion>The initialization of StakedUSDf may fail
GeneralOverview
Findings
Medium (1)
Low (1)
Informational (4)
DiscussionThe initialization of StakedUSDf may failThe vestingPeriod and cooldownDuration can be set to zero simultaneously
Threat ModelWhat are threat models?ClassicMinterV1.solFalconBundler.solFalconPosition.solPreCollateralizedMinter.solStakedUSDf.solUSDfSilo.sol
Audit ResultsAssessment Results

The initialization of StakedUSDf may fail

The USDfSilo contract's initialize function calls to set the _stakingVault address using silo_.setStakingVault().

However, since setStakingVault can be invoked by any caller before the initialization, this may lead to a failed contract initialization.

contract StakedUSDf is IStakedUSDf, AccessControlUpgradeable, ERC20PermitUpgradeable, ERC4626Upgradeable {
    // [...]
    function initialize(
        IERC20 usdf,
        address admin,
        USDfSilo silo_,
        uint32 initialVesting,
        uint24 initialCooldown
    )
        external
        initializer
    {
        // [...]

        silo = silo_;
        silo_.setStakingVault();
    }
    // [...]
}
contract USDfSilo {
    // [...]
    constructor(address usdf) {
        _USDF = IERC20(usdf);
    }
    // [...]
    function setStakingVault() external {
        require(_stakingVault == address(0), AlreadySet());
        _stakingVault = msg.sender;
    }
    // [...]
}

Falcon provided the following response:

we already deployed the contracts successfully and the issue is not relevant anymore.

Zellic © 2025Back to top ↑