★ Rescue/emergencyWithdraw without timelock

Falcon Finance's assessment for RD-F-041 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] rescueTokens() on StakingRewardsDistributor and recoverERC20() on FF Staking Vault callable by admin with zero timelock. The 4-of-6 Safe can drain peripheral contract balances in a single transaction at any moment.

Detail #

StakingRewardsDistributor (0x8AF2EFa…) ABI: `rescueTokens(address,address,uint256)` with `DEFAULT_ADMIN_ROLE` requirement. FF Staking Vault (0x1E7fFB…) ABI: `recoverERC20(address,uint256)`. No timelock gates either function. The admin Safe holds or can grant DEFAULT_ADMIN_ROLE. While USDf and sUSDf core proxies don't have named rescue functions, the upgrade power (also untimelocked) allows deploying a malicious implementation that extracts all user funds. Combined: rescue-without-timelock affects peripheral contracts; full-drain-via-upgrade affects core $1.618B TVL.

Sources #

Etherscan
StakingRewardsDistributor ABI — rescueTokens() not timelockedhttps://etherscan.io/address/0x8AF2EFa47efB2095b80D82577c597186Ea2FFFea#coderetrieved 2026-05-12
Docs
Falcon Finance smart contracts page — no timelock listedhttps://docs.falcon.finance/resources/smart-contractsretrieved 2026-05-12
Etherscan
FF Staking Vault — recoverERC20() callable by adminhttps://etherscan.io/address/0x1E7fFB2cc2B0D9672b3E615dD5669C06F8673CAe#coderetrieved 2026-05-12

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-041 score red collected_at 2026-05-12 04:06:37