Falcon Finance · DeFi Risk

DeploymentsEthereum · $1.6B

Risk profile at a glance

1 red · 7 yellow · 3 green

Categories & evidence

184 factors · 13 categories

Code & audits Yellow 45 25 of 25

RD-F-004 green Audit count 2 distinct firms: Zellic (Tier-1, 2 engagements) and Pashov Audit Group (Tier-2, 1 engagement). Green threshold of >=2 distinct firms met for USDf/sUSDf/FF scope.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard USDf and sUSDf are ERC-20 contracts with no ERC-777/1155/721 integration identified. Falcon Position NFT is peripheral (position tracking only, not core TVL). No audit finding flags callback hook risk.

RD-F-019 green ecrecover zero-address return unchecked USDf uses OZ ERC20PermitUpgradeable which uses OZ ECDSA.recover() — safe wrapper. No ecrecover finding in Zellic audit. Etherscan dep listing confirms OZ upgradeable pattern.

RD-F-020 green EIP-712 domain separator missing chainId USDf inherits EIP712Upgradeable from OZ which includes chainId in domain separator by default. sUSDf same. No cross-chain replay finding in Zellic.

Governance & admin Yellow 49 24 of 24

RD-F-028 red Low-threshold multisig vs TVL [★ CRITICAL] 4-of-6 Safe at $1.618B TVL with ZERO timelock. Peer norm at $1B+ TVL is 5/8+ with 24-72h timelock. All 5 non-deployer signer identities are opaque — effective trust relies on 4 anonymous parties. Single coordinated compromise enables immediate drain with no user exit window. RD-F-032 red Timelock duration on upgrades ZERO timelock delay. No TimelockController deployed. All proxy upgrades and admin actions execute immediately upon Safe threshold confirmation. At $1.618B TVL this is a critical infrastructure gap. RD-F-033 red Timelock on sensitive actions No sensitive action (upgrade, mint-role-grant, rescue, pause, parameter-set) is timelocked. All route through the 4-of-6 Safe as direct calls with 0-second delay. RD-F-035 red Role separation: upgrade ≠ fee ≠ oracle No confirmed role separation. Upgrade, DEFAULT_ADMIN_ROLE, and likely fee/oracle-config roles all appear to route to the same 4-of-6 Safe. One multisig rules all privileged functions. RD-F-038 red Proposal execution delay < 24h Proxy upgrade delay = 0 seconds. No queue step exists. After 4-of-6 threshold is reached, any upgrade or admin call executes immediately in the same transaction block. RD-F-040 red Emergency-veto multisig present No emergency-veto multisig identified. No CANCELLER_ROLE on any TimelockController (none exists). No circuit-breaker mechanism found in docs or contracts. The same 4-of-6 Safe is the only control mechanism. RD-F-041 red Rescue/emergencyWithdraw without timelock [★ CRITICAL] rescueTokens() on StakingRewardsDistributor and recoverERC20() on FF Staking Vault callable by admin with zero timelock. The 4-of-6 Safe can drain peripheral contract balances in a single transaction at any moment. RD-F-042 red Admin has mint() with unlimited max [★ CRITICAL] USDf mint(address,uint256) has no supply cap. DEFAULT_ADMIN_ROLE (held by 4-of-6 Safe) can grantRole(MINTER_ROLE, attacker) then mint unlimited USDf. Two-step route to unbounded inflation, executable with zero delay. RD-F-047 red Governance token concentration (Gini) Effective governance power is entirely the 4-of-6 Safe — maximum centralization. FF token is 100% fixed supply minted to a single address at TGE. Token governance not yet operational. Gini coefficient of governance power = 1.0 (one entity holds all power). RD-F-025 yellow Admin key custody type Admin key custody type is multisig-only (4-of-6 Gnosis Safe 1.4.1). No timelock. Classified 'multisig' not 'multisig+timelock'. This is the single administrative control layer for $1.618B TVL. RD-F-026 yellow Upgrade multisig signer configuration (M/N) 4-of-6 threshold (Safe API confirmed). 6 owner addresses; threshold=4. At $1.618B TVL, 4/6 is below peer norm of 5/8+ for billion-dollar protocols with no timelock. RD-F-031 yellow Signer rotation recency Safe nonce=16, deployed 2025-01-16. No AddedOwner or RemovedOwner events visible from Etherscan inspection. Signer set appears stable but no rotation or age-of-key data is available. Deployer remains a signer since genesis — no rotation. RD-F-043 yellow Admin = deployer EOA after 7 days Deployer EOA (0x804016…) is not the sole proxy admin — admin was set to the 4-of-6 Safe from genesis. However, deployer remains a permanent Safe signer with no plan for rotation. Not a solo-EOA-admin situation but structural concentration persists. RD-F-029 gray Multisig signers co-hosted 5 of 6 Safe signers are pseudonymous with no public identity attestation. Cannot assess co-hosting or shared custody without identity information. RD-F-030 gray Hot-wallet signer flag Cannot assess hot-wallet signing patterns for 5 pseudonymous signers without identity data. Deployer EOA (0x804016…) has on-chain activity consistent with an active wallet but is not the primary admin risk. RD-F-034 gray Guardian/pause-keeper distinct from upgrader No confirmed guardian or pause-keeper role separate from the admin Safe. StakingRewardsDistributor has PAUSER_ROLE but holder is unconfirmed from public reads. No emergency circuit-breaker distinct from the 4-of-6 Safe identified in docs or contracts.

RD-F-027 green Single admin EOA Admin is the 4-of-6 Gnosis Safe, not a single EOA. Proxy admin role was set to the Safe at genesis (Jan 16, 2025). Deployer EOA is one of 6 signers but cannot act alone.

RD-F-036 green Flash-loanable voting weight No on-chain Governor contract. Token governance not yet active. Flash-loanable voting weight is structurally inapplicable in current protocol state.

RD-F-037 green Quorum achievable via single-entity flash loan N/A — no on-chain quorum-based governance active. Flash-loan quorum manipulation structurally impossible.

RD-F-039 green delegatecall/call in proposal execution without allowlist No Governor proposal execution path with delegatecall exists. All admin actions flow through the 4-of-6 Safe as direct calls. No arbitrary-target execution surface.

RD-F-044 green Admin wallet interacts with flagged addresses Deployer EOA (0x804016…) funded by MEXC exchange withdrawal. No Tornado Cash, Railgun, or OFAC-sanctioned address interactions identified. Other 5 signers not assessable (pseudonymous).

RD-F-045 green Constructor args match governance proposal No Governor proposal format exists. Upgrades are direct Safe executions. No proposal-to-constructor-arg mismatch surface in this architecture.

RD-F-046 green Contract unverified on Etherscan/Sourcify All assessed production contracts are Etherscan-verified with exact match: USDf proxy + impl, sUSDf proxy + impl, FF Token, StakingRewardsDistributor, FF Staking Vault, sFF proxy. No unverified production contract identified.

RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated contracts with active admin control and live user value identified. Protocol is young (12 months from public launch). No prior proxy implementations carrying active value under admin control.

Oracle & external dependencies Yellow 42 17 of 17

RD-F-057 red Circuit breaker on price deviation No on-chain circuit breaker identified in any verified Falcon contract. USDf ERC20 and sUSDf ERC4626 implementations have no price-deviation check logic. Off-chain operational circuit breaker may exist but is unverifiable. RD-F-059 red Oracle staleness check present No on-chain staleness check confirmed in verified USDf ERC20 or sUSDf ERC4626 contracts. Neither contract calls oracles. AVAX, USDT, USDC feeds have 24h heartbeats; stale prices could persist up to 24h without on-chain rejection. RD-F-049 yellow Oracle role per asset Each asset has a single primary Chainlink feed. No secondary or fallback feed identified for any asset including the two custom Falcon feeds (USDf/USD, sUSDf/USDf). Single-feed topology with no documented fallback assignment. RD-F-050 yellow Dependency graph (protocols depended upon) External dependencies: Chainlink (oracle data), Fireblocks CVA and Ceffu MirrorX (MPC custody of ~$1.618B collateral), Binance and Bybit (CEX trading for basis yield), Superstate (tokenized UST RWA collateral), HT.Digital (weekly attestations). No on-chain fallback for any off-chain dependency. RD-F-051 yellow Fallback behavior on oracle failure No on-chain fallback oracle behavior identified. USDf ERC20 and sUSDf ERC4626 contracts do not call oracles. No try/catch or secondary-oracle fallback pattern in audited contracts. Fallback on oracle failure appears to rely on manual/operational intervention. RD-F-052 yellow Breakage analysis per dependency Partial breakage analysis: Chainlink failure would cause collateral mis-valuation; Fireblocks/Ceffu failure would make ~$1.618B inaccessible; Binance/Bybit halt would cease yield generation; Superstate failure risks under-collateralization for RWA-backed USDf. No protocol-published breakage analysis exists. RD-F-054 n/a TWAP window duration No DEX TWAP oracles used. All feeds are Chainlink push-oracles. TWAP window measurement not applicable. RD-F-055 n/a Oracle pool depth (USD) No DEX TWAP oracles used. Pool depth measurement not applicable. RD-F-056 n/a Single-pool oracle (no medianization) No DEX pool oracles used. Single-pool medianization check not applicable. Chainlink aggregators internally medianize across node operators. RD-F-058 gray Max-deviation threshold (bps) No circuit breaker confirmed (F057 red). No maxDeviationBps() accessible on any identified Falcon contract. Custom feed bounds (USDf/USD, sUSDf/USDf minAnswer/maxAnswer) not retrieved; data cache does not include this field. RD-F-060 gray Chainlink aggregator min/max bound misconfig minAnswer/maxAnswer for custom USDf/USD and sUSDf/USDf feeds not retrieved. Standard ETH/USD and BTC/USD feeds have known Chainlink defaults. Custom feed bounds are the unknown risk. RD-F-061 n/a LP token balanceOf used for pricing Falcon does not use LP token balanceOf pricing. All collateral pricing via Chainlink push-oracles. USDf/sUSDf contracts have no price calculation logic. RD-F-062 gray External keeper/relayer not redundant Falcon does not use on-chain keepers for core minting/redemption. The sUSDf Staking Rewards Distributor (0x8AF2EFa...) is the closest keeper-adjacent contract but its source is not confirmed verified and its failure mode is not documented. RD-F-180 gray Immutable oracle address [★ CANDIDATE — FLAG FOR T-14 PD-017] Oracle address immutability cannot be assessed. USDf ERC20 and sUSDf ERC4626 contracts contain no oracle address variables. Collateral pricing oracle consumption occurs in an unidentified minting controller — not publicly documented or labeled on Etherscan. RD-F-181 n/a Permissionless-pool lending oracle Falcon Finance is not a lending protocol and does not use permissionlessly-listed pool spot prices. All collateral pricing uses Chainlink-curated push-oracle feeds.

RD-F-048 green Oracle providers used All 19 confirmed oracle feeds are Chainlink push-oracles. No Pyth, RedStone, Uniswap TWAP, or in-house oracle identified. Provider set exclusively Chainlink across ETH, BTC, USDT, USDC, AVAX, COMP, LINK, UNI pairs plus two custom USDf/USD and sUSDf/USDf feeds.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — GREEN] All 19 confirmed oracle feeds are Chainlink push-oracles. No DEX spot price or TWAP pattern identified. Zero slot0() or getReserves() calls in any verified Falcon contract. Both custom feeds are standard EACAggregatorProxy contracts.

Economic risk Yellow 22 13 of 13

RD-F-063 yellow TVL (current + 30d trend) TVL $1.618B (2026-05-12T03:28:55Z, DefiLlama). 30d change: -0.67% (flat). 12m peak: $2.147B (2025-10-16). 90d CoV: 0.00417 (very stable post-April-2026 step-down). Single-day ~$196M drop ca. 2026-04-15 (ts 1770422400) unconfirmed — no exploit, likely redemption. Yellow on 25% decline from peak. RD-F-069 yellow Algorithmic / under-collateralized stablecoin USDf is NOT algorithmic or reflexively under-collateralized. Backed by real assets (stablecoins, BTC, ETH, altcoins, RWAs) via off-chain custody. Key structural risks: (1) yield and peg stability depend on funding rates being non-negative or offset by altcoin staking; (2) insurance fund is ~$10M (~0.62% TVL) — thin; (3) custody concentrated in 2 venues (Binance/Bybit) vs Ethena's 4–5; (4) overcollateralization ratios dynamic and undisclosed. No depeg events in 12 months. sUSDf APY declined from ~21.7–22.6% (early 2025) to ~8.7% (2026) — normal market compression, not distress. Peer (Ethena) also scored yellow. RD-F-064 gray TVL concentration (top-10 wallet share) On-chain depositor concentration scan not possible: majority of $1.618B collateral is held off-chain by Fireblocks (CVA) and Ceffu (MirrorX) custodians. USDf is an ERC-20 minted by the protocol operator — the on-chain USDf holder distribution does not reflect collateral depositor concentration. Off-chain custody model structurally prevents programmatic top-10 depositor assessment. RD-F-065 gray Liquidity depth per major asset Primary exit mechanism is direct protocol redemption (off-chain, team-managed), not DEX swap. On-chain secondary DEX liquidity for USDf/sUSDf not measured. Docs confirm 20% of altcoin holdings kept on exchanges for instant liquidation. No redemption T+N SLA published. DEX subgraph data not obtained within time budget. RD-F-066 n/a Utilization rate (lending protocols) Not applicable. Falcon Finance is a synthetic-dollar yield vault, not a lending protocol. No borrow/supply markets exist. DefiLlama data cache: borrow.present: false. Factor is lending-only per taxonomy PD-024. RD-F-068 n/a Collateralization under stress Not applicable per taxonomy PD-024 (lending-specific). Falcon Finance has no traditional LTV ratio or on-chain liquidation threshold. Analog risk (off-chain collateral buffer < 110% under stress) is materially captured in F069 (yield dependency + insurance fund adequacy). Dynamic overcollateralization ratios for USDf are not fixed or published in docs. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) NOT APPLICABLE — Falcon Finance is not a Compound V2 fork. No cToken market architecture, no market-listing system, no totalSupply()==0 market. ★ critical flag does NOT fire. Original implementation (DWF Labs incubated). sUSDf is a staking wrapper, not a cToken market. Consistent with Ethena calibration peer (also scored not_applicable on F070). RD-F-071 n/a Seed-deposit requirement for new market listing Not applicable. No market-listing architecture exists. USDf minting is operator-controlled, not permissionless. Seed-deposit requirement for new market listing is a lending-specific concept. Taxonomy PD-024. RD-F-072 n/a Market-listing governance threshold Not applicable. No permissionless or governance-voted market-listing system. Collateral type additions are managed by the DWF Labs/Falcon team internally. Taxonomy PD-024 (lending-specific). RD-F-073 n/a Oracle-manipulation-proof borrow cap Not applicable. No borrowing within Falcon Finance protocol. Data cache confirms borrow.present: false. Taxonomy PD-024 (lending-specific). RD-F-074 gray ERC-4626 virtual-share offset (OZ ≥4.9) sUSDf (0xc8CF6D7991f15525488b2A83Df53468D682Ba4B0) uses a custom staking rewards distributor pattern (not confirmed as ERC-4626). No public GitHub. Source is Etherscan-verified (impl 0x0D132bEE412E6619a4863AEEdad97541BfDa3F34) but ERC-4626 virtual-share offset pattern cannot be confirmed without source code review by code-security-analyst. RD-F-075 gray First-depositor / share-inflation guard First-depositor guard not confirmed. Zellic audit flagged 'StakedUSDf initialization may fail' (Medium) indicating initialization-state sensitivity. No seed deposit, virtual-share offset, or minimum-share-floor documented in public docs or audit findings. Code-security-analyst must read sUSDf impl source to confirm guard presence or absence.

RD-F-067 green Historical bad-debt events No bad-debt events, exploits, or socialized losses documented in 12 months of operation (Apr 2025 – May 2026). Rekt DB: 0 incidents. Single large TVL drop ca. Apr 15 2026 (~$196M) unconfirmed as a loss event — no post-mortem, no Rekt entry, likely redemption. Green — clean history within observable window.

Operational history Green 13 15 of 15

RD-F-089 red Insurance coverage active On-chain Insurance Fund at 0x432CDcc4516B21302985b639Ef9a7853727A4e49 holds ~$10M (~0.62% of $1.618B TVL). No external protocol-level insurance (Nexus Mutual, Unslashed, Sherlock). Self-insurance only, structurally thin for off-chain custody risk. RD-F-078 n/a Chronic-exploit flag (≥3 incidents) 0 incidents (F077 = 0). Chronic threshold of ≥3 cannot be met. Factor not applicable. RD-F-079 n/a Same-root-cause repeat exploit 0 incidents (F077 = 0). No root-cause clusters to compare. Scoping note per invocation: F079 does not fire for zero-exploit protocols. RD-F-080 n/a Days since last exploit No prior incidents. Methodology maps 'no incidents' to the same outcome as >365 days clean. No date from which to measure. RD-F-081 gray Post-exploit response score No prior exploits. Factor is N/A per methodology. Gray: no prior incidents to assess response quality. RD-F-082 gray Post-mortem published within 30 days No prior exploits. Factor is N/A per methodology. Gray: no incident to post-mortem. RD-F-083 gray Auditor re-engaged after last exploit No prior exploits. Factor is N/A per methodology. Gray: proactive audits (Zellic x2, Pashov x1) are pre-launch hygiene, not post-exploit re-audits. RD-F-085 gray Incident response time (minutes) No prior incidents. Factor is N/A per methodology. No response time measurable.

RD-F-076 green Protocol age (days) Admin Safe (earliest mainnet contract) deployed 2025-01-16 = 481 days to 2026-05-12. Public launch ~2025-04-30 = ~377 days. Both exceed 365-day green threshold.

RD-F-077 green Prior exploit count 0 prior exploits confirmed. Hacks DB grep returned 0 matches. DefiLlama data cache hacks=[]. Web search returned no exploit. Profile §10 confirms no incidents.

RD-F-084 green TVL stability (CoV over 90d) Data cache tvl_cov_90d.cov = 0.004171 (mean $1.628B, std $6.79M, 90 samples, window 2026-04-21 to 2026-05-12). CoV 0.0042 << 0.15 green threshold. Extremely stable.

RD-F-086 green Pause activations (trailing 12 months) 0 documented pause activations in the trailing 12 months. No Paused/Unpaused events found in on-chain data, data cache, or public announcements. Green: 0 pauses.

RD-F-087 green Pause > 7 consecutive days No pause events recorded in trailing 12 months (derived from F086 = 0). No consecutive-day pause window exists. Green: no pause >7 consecutive days.

RD-F-088 green Re-deployed to new addresses in last year No full protocol redeployment to new addresses in the trailing 12 months. Core USDf/sUSDf proxy addresses unchanged since Jan 2025. FF/sFF/FF Staking Vault deployed Sep–Oct 2025 are additive. No retired addresses found.

RD-F-166 green Deprecated contracts still holding value No contracts announced as deprecated by Falcon Finance. All catalogued addresses on docs smart-contracts page are active. No sunset surface found.

Real-time signals Green 7 22 of 22

RD-F-102 yellow Admin/upgrade transaction in mempool Admin/upgrade tx in mempool | Applicable: YES (CRITICAL CONCERN) | 4-of-6 Safe with NO timelock is direct proxy admin for USDf and sUSDf. 16 past Safe txs executed with zero pre-announcement window. No admin tx currently pending as of 2026-05-12. Structural risk is maximum: any future admin tx fires with zero defender lead time. Yellow (not firing today but architecture guarantees zero-lead-time future fires). RD-F-109 yellow Social-media impersonation scam spike Social-media impersonation scam-spike | Applicable: Yes (active X/@falconfinance, Telegram, Discord) | At least 2 confirmed wallet-drainer impersonation operations: event-falconsfinance[.]com (vote rewards, Oct 2025) and claim-falcon[.]app (airdrop, Sep 2025). Coordinated social amplification confirmed. v2-deferred signal. Would fire at advisory level today. RD-F-090 gray Mixer withdrawal → protocol interaction Mixer withdrawal -> protocol interaction | Applicable: Yes in principle | Threshold: wallet withdrew from Tornado/Railgun within 30 days AND interacts with Falcon core contracts with value >$100k AND flagged by >=2 attribution sources. Phase-2 signal requiring licensed CTI feed. No mixer-funded wallet interactions with USDf/sUSDf contracts identified from public sources. Signal: gray. RD-F-091 gray Partial-drain test transactions Partial-drain test transactions | Applicable: Yes (USDf minting/redemption contracts drainable) | v2-deferred signal, folded into RD-F-098 precursor rule. No small-value probe transactions from threat-actor-labeled wallets on Falcon contracts identified in public block explorer data. Not assessable from static public data. RD-F-093 gray Abnormal gas-price willingness from attacker wallet Abnormal gas-price willingness from attacker wallet | Applicable: Yes in principle | Threshold: priority fee >=5x EMA baseline from threat-actor-labeled wallet. Mempool monitoring not configured for this assessment. v2-deferred signal. Not assessable from static public data. RD-F-094 gray New contract with similar bytecode to exploit template New contract deployment with similar bytecode to protocol's target | Applicable: Partial | No prior Falcon exploit exists to seed exploit template. No exploit-template index maintained for yield-bearing synthetic-dollar basis-trading class. v2-deferred. Not assessable. RD-F-095 gray Known-exploit function-selector replay Known-exploit function-selector replay | Applicable: No | Protocol has 0 exploits; no selector-pattern index possible for this class. v2-deferred. Not assessable. RD-F-096 gray New ERC-20 approval to unverified contract from whale New ERC-20 approval to unverified contract from high-TVL user | Applicable: User-level signal moved to consumer app scope per T-09. Not assessable at protocol level in T-10 static assessment. RD-F-097 gray Sybil surge of identical-pattern transactions Sybil surge of identical-pattern transactions | Applicable: Partial | No sybil surge pattern identified on Falcon EVM contracts from public data. Clustering algorithm not deployed. v2-deferred. Not assessable. RD-F-101 gray Large governance proposal queued Large governance proposal execution queued | Applicable: No (no on-chain Governor; Snapshot space ffgov.eth not active) | Signal cannot fire against current multisig-only governance model. v1 launch signal but N/A for this protocol. Would not fire. RD-F-103 n/a Bridge signer-set change proposed/executed Bridge signer set change | Applicable: No (has_bridge_surface: false; single-chain Ethereum protocol; no bridge validator set) | Signal N/A. Would not fire. RD-F-106 n/a Cross-chain bridge unverified mint pattern Cross-chain bridge tx pattern (mint without proof) | Applicable: No meaningful bridge surface | Ethereum TVL (100%) has no bridge dependency. BNB/XDC deployments have negligible TVL and undocumented bridge mechanism. Signal not applicable in any material sense. RD-F-107 gray Admin EOA signing from new geography/device Admin EOA signing from new geography / device fingerprint | Applicable: Yes in principle (6 signer EOAs) | Off-chain signing telemetry not available. No HSM or hardware-constrained signing infrastructure confirmed for Falcon signers. v2-deferred. Not assessable without telemetry. RD-F-108 n/a GitHub force-push to sensitive branch GitHub force-push / sensitive-branch push | Applicable: No — Falcon Finance has no public smart-contract GitHub repository. Closed-source protocol. Signal structurally not applicable. RD-F-110 n/a Unusual pending/executed proposal ratio Unusual pending/executed proposal ratio | Applicable: No (no on-chain Governor, no proposal queue, Snapshot not active) | Signal cannot attach to current governance model. N/A.

RD-F-092 green Unusual mempool pattern from deployer wallet Unusual mempool pattern from deployer wallet | Applicable: Yes (deployer EOA 0x804016c31e52805eb00e0Ef42126Fd3e980A0b33 is a Safe signer) | Deployer last known activity is contract deployment (Jan 2025). No unusual mempool pattern identified. v2-deferred signal. Would not fire today.

RD-F-098 green TVL anomaly — % drop in <1h TVL anomaly (severe drop) | Applicable: Yes ($1.618B TVL) | 90d CoV = 0.00417 (very stable). 30d change = -0.67%. 1d change = +0.02%. April 2026 drop was gradual over 4+ days, not exploit-class single-hour spike. Well above 30% drop threshold. Signal not firing today.

RD-F-099 green Oracle price deviation >X% from secondary Oracle price deviation | Applicable: Yes (Chainlink USDf/USD 0xb177857, ETH/USD 0x5f4eC3Df, BTC/USD 0xF4030086) | No oracle deviation reported as of 2026-05-12. Phase-2 signal requiring secondary feed mapping. Signal not firing today.

RD-F-100 green Flash loan >$10M targeting protocol tokens Flash loan targeting protocol | Applicable: Limited (no on-chain lending market, no flash-loan-attackable governance) | Primary TVL off-chain via Fireblocks/Ceffu. No on-chain governor susceptible to flash-loan voting. No flash-loan activity targeting Falcon contracts detected. Signal not firing.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue Stablecoin depeg | Applicable: Yes (USDT, USDC, DAI, USDS are core collateral; exposure >>5% TVL) | No stablecoin depeg >2% sustained on major venues as of 2026-05-12. Signal not firing.

RD-F-105 green DNS/CDN/frontend hash drift DNS / frontend hash drift | Applicable: Yes (falcon.finance, app.falcon.finance active) | Official domain stable at assessment date. No DNS drift or cert-change alerts. Impersonation domains (event-falconsfinance[.]com, claim-falcon[.]app) are separate domains — not drift on official domain. Signal not firing on official domain.

RD-F-182 green Security-Council threshold reduction (RT) Security-Council threshold reduction event (RT signal, batch-24) | Applicable: YES (HIGHLY RELEVANT) | The 4-of-6 Safe IS the effective Security Council. No threshold change detected as of 2026-05-12 (nonce=16, threshold stable at 4-of-6 since Jan 2025). CRITICAL NOTE: Falcon has no timelock — it is already in the permanently post-timelock-removal state (the Drift precondition is baked in). Any threshold reduction from 4-of-6 would be an immediate maximum-severity event. Signal not currently firing.

Dev identity & insider risk Yellow 22 16 of 16

RD-F-111 yellow Team doxx status Andrei Grachev (Managing Partner, Falcon Finance + DWF Labs) is fully doxxed: real name, IQ.wiki biography, LinkedIn, Consensus HK 2025 in-person speaker, multiple media profiles. Remaining operational team (developers, other signers) is not publicly named. Team doxx category: real-name for one disclosed leader; anonymous for all others. RD-F-112 yellow Team public accountability surface Andrei Grachev has multiple verifiable public accountability trails: IQ.wiki, LinkedIn (DWF Labs), media coverage (The Block, Rolling Stone, The Nation, Protos), Consensus HK 2025 speaker listing. Operational technical team has zero public accountability surface — no named engineers, no GitHub public members list, no conference speakers beyond Grachev. RD-F-113 yellow Team other-protocol involvement history Grachev has an adverse documented track record: 2015 Russian fraud conviction (suspended 3yr sentence, 5yr probation, 450k-ruble fine) for fake logistics/cargo theft scheme; multiple failed crypto ventures pre-DWF (Crypsis, Export.Online ICO with investor theft allegations); DWF Labs misconduct dismissal of co-founder Eugene Ng in 2024; DWF Labs pump-and-dump and wash-trading allegations. No confirmed rug-pull specifically linked to Falcon Finance or to Grachev directly. RD-F-115 yellow Prior rug/exit-scam affiliation No confirmed rug-pull or exit-scam affiliation for Falcon Finance or named team members. Grachev's 2015 fraud conviction involves cargo theft (offline/physical), not a DeFi rug. DWF Labs pump-and-dump allegations remain unproven in a legal or rug-classification sense. Web search for 'Falcon Finance rug exit scam' returned no adverse results. Data cache rekt.incidents = [] confirmed. RD-F-117 yellow ENS/NameStone identity bound to deployer Deployer `0x804016c31e52805eb00e0Ef42126Fd3e980A0b33` has no ENS name or NameStone reverse-resolution name. Etherscan shows only the protocol-level label 'Falcon Finance: Deployer' which provides functional identification equivalence but does not satisfy the ENS/NameStone-specific criterion. Yellow reflects absence of the specific mechanism. RD-F-120 yellow Video-off/voice-consistency flag Andrei Grachev has made multiple on-camera public appearances (Consensus HK 2025, LinkedIn video posts, media interviews). No video-declined pattern for Grachev. However, the five anonymous Safe signers and the full engineering team have zero confirmed public video or audio appearances. Partial green on the leader, zero coverage on the rest of the team. RD-F-121 yellow Contributor OSINT depth score Grachev OSINT depth: 4/5 (real name, employer history, criminal record publicly documented, conference presence, extensive media coverage). Operational technical team OSINT depth: 0/5 — no other named individuals publicly associated with Falcon Finance development. Single-person concentration of verifiable identity within the protocol. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion Admin Safe (0x1E482B60) has executed 16 transactions with no public governance forum or engineering discussion venue. No public GitHub for smart contracts means no issue/PR discussion is possible. No confirmed hostile admin-rescue or ACL change event in rekt.incidents or news. Structurally, the absence of any public discussion surface prevents verification of the factor either positively or negatively — but no malicious event was found. RD-F-116 gray Contributor tenure at admin-permissioned PR No public GitHub repository for Falcon Finance smart contracts confirmed. The FalconFinance GitHub org is an unrelated Uniswap v2 fork. Contributor tenure at admin-permissioned PRs cannot be assessed without a public repository. Closed-source codebase makes this factor structurally unassessable via standard methods. RD-F-119 gray Commit timezone consistent with stated geography No public GitHub repository for Falcon Finance smart contracts exists. Commit-hour timezone analysis cannot be performed. Grachev is UAE-based (DWF Labs Abu Dhabi); DWF Labs opened NYC office April 2025. No commit data available to assess timezone consistency. RD-F-122 gray Contributor paid to DPRK-cluster wallet No contributor payment wallets are publicly disclosed for Falcon Finance. Grachev / DWF Labs entity has no OFAC/DPRK designation. Cannot trace contributor payment routing without wallet disclosure. The 5 anonymous Safe signers' payment wallets are unknown. RD-F-125 gray Deployer linked within 3 hops to DPRK/Lazarus 1-hop from deployer and 3 known signers: MEXC / Bitget CEX addresses (not DPRK-linked). No OFAC SDN designation for Falcon Finance, Andrei Grachev, or DWF Labs as of 2026-05-12. No Chainalysis published DPRK attribution found. 5 of 6 Safe signers are anonymous — cluster proximity cannot be assessed for those wallets. Cannot confirm or deny DPRK absence for the anonymous signer set. No affirmative DPRK signal found; ESCALATION NOT REQUIRED, but opacity prevents all-clear.

RD-F-114 green Deployer address prior on-chain history Deployer `0x804016c31e52805eb00e0Ef42126Fd3e980A0b33` is labeled 'Falcon Finance: Deployer' on Etherscan. 188 total transactions since creation. Activity pattern consistent with legitimate protocol deployer: contract deployments, interactions with Superform and deBridge protocols, token swaps. No rug-deployer cluster label, no prior rugged deployments, no exit-scam-pattern activity found.

RD-F-118 green Handle reuse across failed/rugged projects No social handle for Falcon Finance or Grachev associated with a prior rugged/failed project under a different alias. @falconfinance X account is consistent in identity since launch. Grachev's prior failed crypto ventures (Crypsis, Export.Online ICO, Shoptimizer) used distinct branding, not aliases recycled into Falcon Finance.

RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer 0x804016c31e52805eb00e0Ef42126Fd3e980A0b33 funded by MEXC 16 (0x9642b23ed1e01df1092b92641051881a322f5d4e) — a labeled centralized exchange wallet on Etherscan. MEXC is not a mixer. No Tornado Cash or Railgun interactions found in the 30-day pre-deploy window or in the deployer's full transaction history. Safe signer wallets also primarily funded from MEXC 16 around January 2025 protocol launch. CEX funding origin is clean.

RD-F-184 green Real-capital social-engineering persona No curator flag or OSINT evidence of any contributor or external integrator persona with ≥$1M attributed deposits used to build credibility ahead of a social-engineering attack. DWF Labs' $25M WLFI token purchase is a strategic investment, not a credibility-building insider persona pattern. No Drift-class UNC4736/TraderTraitor 6-month build-up pattern documented for Falcon Finance. Factor is M-only and P1; no positive signal found.

Fork / dependency lineage Gray 0 10 of 10

RD-F-126 n/a Is-a-fork-of Falcon Finance is an original implementation. Profile §5 explicitly: not forked. DWF Labs incubated architecture. All Cat 8 fork-specific factors are N/A. RD-F-127 n/a Upstream patch not merged Not a fork. No upstream to track for unmerged patches. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not a fork. No upstream vulnerability disclosures to track. RD-F-129 n/a Code divergence from upstream (%) Not a fork. Code divergence from upstream is not applicable for original implementations. RD-F-130 n/a Fork depth (generations from original audit) Not a fork. Fork depth = 0 by definition (original implementation). RD-F-131 n/a Fork retains upstream audit coverage Not a fork. Has its own independent audit history (Zellic x2, Pashov x1). Upstream audit coverage concept is N/A. RD-F-132 n/a Fork has different economic parameters than upstream Not a fork. Economic parameter divergence from upstream is N/A. RD-F-133 gray Dependency manifest uses unpinned versions No public GitHub repository for Falcon Finance smart contracts. Cannot inspect package.json or foundry.toml for version pinning. Data cache confirms github.repo_url: null. RD-F-134 gray Dependency had malicious-release incident (last 90d) No dependency manifest accessible (private/no repo). No GHSA advisory for OZ upgradeable or Solidity stdlib in last 90 days identified. Cannot fully assess due to closed source. RD-F-135 gray Shared-library version with known-vuln status OZ version unknown (no package.json). Solidity 0.8.28 used for core contracts — SOL-2026-1 exists (affects 0.8.28-0.8.33) but requires viaIR + tstore delete patterns not confirmed present. Cannot fully assess.

Post-deploy hygiene & change mgmt Yellow 37 13 of 13

RD-F-136 red Deployed bytecode matches signed release tag No public GitHub repository for Falcon Finance smart contracts. Cannot verify deployed bytecode against a signed git tag. Protocol uses closed-source development. Etherscan source is verified but no reproducible build path exists. RD-F-139 red Post-audit code changes without re-audit [★ CRITICAL] FF Staking Vault, sFF, sFF-Prime, and StakingRewardsDistributor were deployed after the Feb 2025 audits (FF TGE September 29, 2025). No audit covering these post-TGE contracts has been identified. Material unaudited surface at $1.618B TVL. RD-F-145 red Deployed bytecode reproducibility No public repository, no declared build toolchain, no pinned build instructions. Cannot reproduce deployed bytecode from public sources. Closed-source development model. RD-F-141 yellow Test-mode parameters in deploy Deployer EOA (0x804016…) retains permanent Safe signer status — a structural anomaly. However, admin was set to the Safe from genesis, not left as EOA. No test oracle, infinite allowances, or test admin addresses in deployed contracts. Partial test-mode concern. RD-F-143 yellow Reinitializable implementation (no _disableInitializers) USDf impl has initialize() function. Zellic flagged sUSDf initialization as a Medium finding. _disableInitializers() in constructor cannot be confirmed from Etherscan ABI alone. Yellow pending code-security-analyst bytecode verification — may escalate to CRITICAL RED. RD-F-140 gray Fix-merged-but-not-deployed gap Cannot assess fix-merged-but-not-deployed gap. No public GitHub repository means no commit history is accessible. Zellic Medium finding (sUSDf initialization) stated as addressed in the report but the fix cannot be verified. RD-F-142 gray Storage-layout collision risk across upgrades Cannot assess storage-layout collision risk across upgrades. No public repository for OZ upgrades-plugin validation. Both USDf and sUSDf have had only 1 upgrade each — minimal multi-upgrade collision history, but future upgrades cannot be analyzed. RD-F-185 n/a Bridge rate-limiter / chain-pause as positive mitigant N/A — no bridge infrastructure exists. Profile flags has_bridge_surface=false, cross_chain=false, layerzero.present=false. No rate-limiting or chain-pause mechanism applicable to the primary Ethereum-only deployment.

RD-F-137 green Upgrade frequency (per 90 days) 0 upgrades in last 90 days. Total of 2 upgrade events (both USDf and sUSDf on Feb 10, 2025) in the entire protocol history. Very low upgrade frequency.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) No upgrades in last 30 days. Zero hot-patch events. Note: when upgrades DO occur there is no timelock, so any future upgrade would constitute a zero-delay execution by definition.

RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory-based redeployment pattern identified. Standard OZ TransparentUpgradeableProxy and Safe Proxy Factory 1.4.1 patterns used. No redeployment-to-same-address risk.

RD-F-146 green New contract deploys in last 30 days No new governance-relevant contract deployments in last 30 days. Deployer EOA's most recent activity (~21 days ago) was a USDC swap, not a contract deployment.

RD-F-168 green Stale-approval exposure on deprecated router No deprecated router contracts with active user approvals identified. USDf and sUSDf proxies maintain stable proxy addresses — user approvals survive any implementation upgrade without pointing to deprecated contracts.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Yellow 25 8 of 8

RD-F-161 red Protocol-impersonator domain registered (typosquat) Protocol-impersonator domain registered (typosquat) | Applicable: YES | At least 2 confirmed active wallet-drainer domains: (1) event-falconsfinance[.]com (vote rewards drainer, Oct 2025); (2) claim-falcon[.]app (airdrop drainer, Sep 29 2025, IP 213.111.144.132). Both documented by PCRisk as confirmed crypto wallet drainers impersonating falcon.finance. Red threshold met. RD-F-158 gray Known-threat-actor cluster has touched protocol Known-threat-actor wallet cluster has touched protocol | Applicable: Yes ($1.618B TVL high-value target) | No confirmed threat-actor wallet touch on Falcon contracts in public CTI reports as of 2026-05-12. Requires licensed Chainalysis/TRM feed for definitive assessment. Elevated sector-level risk (DWF Labs basis-trading model, synthetic dollar class targeted post-2025). Signal: gray. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Mempool probe (attacker wallet sending low-gas failing txs) | Applicable: Yes | Requires mempool monitoring + licensed CTI feed. No pre-strike probe transactions from CTI-flagged addresses on Falcon contracts identified from public data. Not assessable. RD-F-162 gray Known-exploit-template selector deployed by any address Known-exploit-template selector-pattern deployed | Applicable: Partial | No known-exploit template exists for USDf/sUSDf class (original implementation, 0 exploits). Selector-pattern index not maintained for this class. v2-deferred. Not assessable. RD-F-164 gray Leaked credential on paste/sentry site Leaked credential on paste/sentry site | Applicable: Yes (Fireblocks/Ceffu API keys and admin wallet keys are high-value targets) | Paste monitoring not configured. No public credential dump referencing Falcon Finance infrastructure identified. No public GitHub so no SECURITY.md. Not assessable.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps GitHub-flagged malicious-dependency incident | Applicable: Limited (no public GitHub) | No GHSA for Falcon Finance dependencies confirmed. OZ upgradeable contracts (inferred from proxy architecture) have no current critical advisories. Signal structurally limited by closed-source posture.

RD-F-163 green Avg attacker reconnaissance time for peer-class protocols Attacker wallet reconnaissance time for peer-class protocols | Applicable: Yes | Synthetic-dollar/basis-trading class has limited exploit history. Using USPD/Drift precedent (78 days) as baseline. CEX-dependent protocols may require longer institutional-layer reconnaissance. 30-120 day recon window provides meaningful detection opportunity if CTI monitoring is live.

RD-F-165 green Protocol social channel has scam-coordinator flag Telegram/Discord channel member flagged as scam-coordinator | Applicable: Yes (Discord discord.gg/falconfinance, Telegram t.me/FalconFinanceTG active) | No official channel admin flagged on curator scam-coordinator watchlist. Active impersonation campaign via external fake domains, not official channel compromise. Signal not firing.

Tooling / compiler / AI Green 11 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Core contracts: Solidity 0.8.28 (Cancun EVM). Post-TGE contracts: 0.8.30 (Prague EVM). SOL-2026-1 affects 0.8.28-0.8.33 when using viaIR + tstore delete — viaIR not confirmed enabled on USDf impl. sFF/Staking Vault (0.8.30, Prague) have higher tstore likelihood. Not on patched 0.8.34. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Not a fork. Bytecode similarity to audited upstream factor is N/A by the same determination as Cat 8. RD-F-172 gray Repo shows AI-tool co-authorship in critical files No public GitHub repo; commit history and PR metadata cannot be inspected. No AI-assisted code disclosure in protocol communications. Cannot confirm or deny.

RD-F-173 green Team self-disclosure of AI-generated Solidity No disclosure of AI-assisted Solidity in protocol docs, blog, audits, or X/Twitter. Absence of positive evidence. Confidence low — cannot confirm without commit history.

RD-F-174 green Dependency tree uses EOL Solidity version Solidity 0.8.28 and 0.8.30 are within the actively maintained 0.8.x series. Latest release 0.8.34 (Feb 2026). Not EOL. No Vyper detected.

Response & disclosure hygiene Red 67 4 of 4

RD-F-175 red Disclosure channel exists No bug bounty on Immunefi, Cantina, or any platform. No security@ email, no SECURITY.md, no dedicated security disclosure page. Discord is not a disclosure channel. Red at $1.618B TVL. RD-F-176 red Disclosure SLA public No disclosure SLA published. No disclosure channel exists (F175 = red), so no SLA can flow from it. Red: no SLA. RD-F-177 gray Prior known-ignored disclosure No prior incidents or post-mortems. Factor is N/A per methodology. Cannot assess ignored-disclosure pattern with 0 incidents.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory issued against Falcon Finance. No public GitHub repo, no GitHub security advisories page. NVD/GHSA search returned no entries. Green: no advisory issued.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol falcon-finance