Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Falcon Finance>Discussion>The vestingPeriod and cooldownDuration can be set to zero simultaneously
GeneralOverview
Findings
Medium (1)
Low (1)
Informational (4)
DiscussionThe initialization of StakedUSDf may failThe vestingPeriod and cooldownDuration can be set to zero simultaneously
Threat ModelWhat are threat models?ClassicMinterV1.solFalconBundler.solFalconPosition.solPreCollateralizedMinter.solStakedUSDf.solUSDfSilo.sol
Audit ResultsAssessment Results

The vestingPeriod and cooldownDuration can be set to zero simultaneously

In the StakedUSDf contract, the _setVestingPeriod function includes a validation check to ensure that either the new vestingPeriod or the current cooldownDuration is nonzero. However, the setCooldownDuration function lacks a similar verification.

As a result, it is possible for both vestingPeriod and cooldownDuration to be set to zero simultaneously. However, it is expected that if vestingPeriod is set to zero, the cooldown mechanism should remain active. We recommend adding the relevant validation check to setCooldownDuration.

Falcon provided the following response:

This configuration is controlled by trusted administrators, and we have appropriate governance processes in place to ensure that any changes to these parameters are thoroughly considered.

Zellic © 2025Back to top ↑