★ Post-audit code changes without re-audit
Falcon Finance's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL] FF Staking Vault, sFF, sFF-Prime, and StakingRewardsDistributor were deployed after the Feb 2025 audits (FF TGE September 29, 2025). No audit covering these post-TGE contracts has been identified. Material unaudited surface at $1.618B TVL.
Detail #
Audit timeline: Pashov completed 2025-02-17; Zellic USDf/sUSDf completed 2025-03-07. Both audits covered only USDf and sUSDf core contracts. FF TGE: 2025-09-29. Post-TGE contracts deployed: sFF (0x1a0c3f…), sFF-Prime (0x41FF52…), FF Staking Vault (0x1E7fFB…), and sFF-Prime all postdate the audits. StakingRewardsDistributor deployment date is unconfirmed but plausibly also post-audit. Zellic FF token audit exists (reports.zellic.io/publications/falcon-finance-ff) but its scope and date are unconfirmed — it may not cover the vault/sFF/sFF-Prime contracts. No audit PDF found that explicitly covers the post-TGE staking infrastructure.
Sources #
- DocsFalcon Finance audits page — no GitHub source linkhttps://docs.falcon.finance/resources/auditsretrieved 2026-05-12
- Zellic USDf/sUSDf audit — scope limited to USDf and sUSDf, Feb 2025https://github.com/Zellic/publications/blob/master/Falcon%20Finance%20-%20Zellic%20Audit%20Report.pdfretrieved 2026-05-12
- FF Staking Vault — recoverERC20() callable by adminhttps://etherscan.io/address/0x1E7fFB2cc2B0D9672b3E615dD5669C06F8673CAe#coderetrieved 2026-05-12
Methodology #
Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.
See the full factor methodology and distribution across all protocols →