★ Reinitializable implementation (no _disableInitializers)

Falcon Finance's assessment for RD-F-143 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

USDf impl has initialize() function. Zellic flagged sUSDf initialization as a Medium finding. _disableInitializers() in constructor cannot be confirmed from Etherscan ABI alone. Yellow pending code-security-analyst bytecode verification — may escalate to CRITICAL RED.

Detail #

USDf implementation (0x3aDf34C0…) ABI shows initialize(address admin) function. sUSDf implementation (0x0D132bEE…) ABI shows similar initializer. Zellic audit (Feb 2025) found Medium severity: 'the initialization of StakedUSDf may fail' — indicating initialization security was a known risk area at audit time. Whether _disableInitializers() is called in the constructor of the current deployed implementations is not determinable from Etherscan ABI view alone. Full bytecode decompilation or source code constructor inspection required.

Sources #

Etherscan
USDf implementation ABI — no timelock-gated functionshttps://etherscan.io/address/0x3aDf34C09DAC24E4BAeFB1b1df4C2992edC2b789#coderetrieved 2026-05-12
Audit
Zellic Audit — Falcon Finance USDf/sUSDf (1 Medium: StakedUSDf initialization may fail)https://reports.zellic.io/publications/falcon-financeretrieved 2026-05-12

Methodology #

Determine whether the implementation contract does not call `_disableInitializers()` in its constructor, leaving re-initialization possible.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-143 score yellow collected_at 2026-05-12 04:06:37