Arbitrary call with user-controlled target

Falcon Finance's assessment for RD-F-013 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Closed-source; no Slither arbitrary-send-eth output. Standard ERC-20/ERC4626 unlikely to have arbitrary call targets, but post-TGE contracts unverifiable.

Detail #

USDf and sUSDf are standard ERC-20 and ERC4626 contracts — these patterns do not typically include arbitrary external call targets. The Staking Rewards Distributor and FF Staking Vault (unaudited) may have more complex call patterns but cannot be verified without source access.

Sources #

Etherscan
sUSDf Implementation — EtherscansUSDf uses ERC4626Upgradeable (OZ) — standard implementationretrieved 2026-05-12

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-013 score gray collected_at 2026-05-12 04:06:37