Security Audit Finding
Auditor: BinShao1988 (https://github.com/BinShao1988)
Date: 2026-03-14
Severity: Medium
Description
The ERC4626 implementation has a well-documented inflation attack risk for empty or nearly empty vaults. While this is documented, we suggest enhancing the documentation with more prominent warnings and code examples.
Current State
The documentation mentions:
In empty (or nearly empty) ERC-4626 vaults, deposits are at high risk of being stolen through frontrunning with a "donation" to the vault that inflates the price of a share.
Suggestion
- Add a more prominent warning box at the top of the ERC4626 documentation
- Provide a code example for
_decimalsOffset() implementation
- Consider adding a
SECURITY.md note about this risk
Recommended Implementation
contract SecureVault is ERC4626 {
function _decimalsOffset() internal pure virtual override returns (uint8) {
return 18; // Protects against inflation attacks on empty vaults
}
}References
This finding was part of a security audit conducted on popular Ethereum projects.
Security Audit Finding
Auditor: BinShao1988 (https://github.com/BinShao1988)
Date: 2026-03-14
Severity: Medium
Description
The ERC4626 implementation has a well-documented inflation attack risk for empty or nearly empty vaults. While this is documented, we suggest enhancing the documentation with more prominent warnings and code examples.
Current State
The documentation mentions:
Suggestion
_decimalsOffset()implementationSECURITY.mdnote about this riskRecommended Implementation
References
This finding was part of a security audit conducted on popular Ethereum projects.