★ Admin has mint() with unlimited max

Falcon Finance's assessment for RD-F-042 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] USDf mint(address,uint256) has no supply cap. DEFAULT_ADMIN_ROLE (held by 4-of-6 Safe) can grantRole(MINTER_ROLE, attacker) then mint unlimited USDf. Two-step route to unbounded inflation, executable with zero delay.

Detail #

USDf implementation (0x3aDf34C0…) ABI: mint(address,uint256) requires MINTER_ROLE; grantRole(bytes32,address) requires DEFAULT_ADMIN_ROLE; no maxSupply variable visible in ABI. The Safe holds DEFAULT_ADMIN_ROLE via initialize(admin). Attack path: Safe tx1 → grantRole(MINTER_ROLE, attacker); Safe tx2 (or same) → mint(attacker, uint256.max). No supply cap prevents unlimited issuance. This threatens the $1.618B of user collateral backing USDf — unlimited minting devalues existing USDf holders' claims against the reserve.

Sources #

Etherscan
USDf implementation ABI — no timelock-gated functionshttps://etherscan.io/address/0x3aDf34C09DAC24E4BAeFB1b1df4C2992edC2b789#coderetrieved 2026-05-12
URL
Safe Transaction Service — Falcon Finance Admin Safehttps://api.safe.global/tx-service/eth/api/v1/safes/0x1E482B60bf19Cb1cc859389e0eA3DED153f16Bd7/retrieved 2026-05-12

Methodology #

Determine whether an admin-callable `mint` on a protocol token has no supply cap or an unlimited maximum supply.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-042 score red collected_at 2026-05-12 04:06:37