ERC4626 Tokenized Vault Security

ERC4626 is the tokenized vault standard — it defines a standardized interface for yield-bearing tokens where depositors receive shares representing their proportional claim on underlying assets. The standard is now widely used in DeFi for lending protocols, yield aggregators, and liquid staking wrappers. Its share calculation math introduces non-obvious vulnerabilities that have caused significant losses.

Vulnerability 1: Share inflation attack (first depositor attack)

The most critical ERC4626 vulnerability targets the first depositor. The attack works as follows:

1. Attacker becomes the first depositor, minting 1 share for 1 wei of underlying asset
2. Attacker directly donates a large amount of the underlying asset to the vault (bypassing deposit)
3. The vault now holds a large amount of assets but only has 1 share outstanding
4. The conversion rate becomes: 1 share = large amount of assets
5. When a legitimate user deposits, their deposit is rounded down to 0 shares due to integer division
6. Their deposited assets are effectively stolen by the attacker when they redeem their 1 share

Fixes for share inflation

• Virtual shares and assets: OpenZeppelin's ERC4626 adds virtual shares (e.g., 1e18 virtual shares and assets) as an offset, making the inflation attack economically infeasible
• Minimum deposit: Require a minimum initial deposit or seed the vault with a small amount at deployment
• Dead shares: Permanently lock a small amount of shares by sending them to address(0) at vault creation

// OpenZeppelin ERC4626 — virtual offset (recommended)
function _decimalsOffset() internal view virtual override returns (uint8) {
    return 6; // 10^6 virtual offset — inflation attack costs 10^6x more
}

Vulnerability 2: Rounding direction

ERC4626's previewMint and previewWithdraw must round in favor of the vault (ceiling), while previewDeposit and previewRedeem must round against the depositor (floor). Incorrect rounding direction allows users to extract more assets than they deposited, or enables flash loan attacks to drain the rounding difference repeatedly.

Always use OpenZeppelin's Math.mulDiv with explicit rounding direction:

// Rounding up for vault-favorable operations
Math.mulDiv(assets, totalSupply + 1, totalAssets() + 1, Math.Rounding.Ceil);

Vulnerability 3: Reentrancy in harvest/rebalance

Vaults that interact with external protocols (e.g., Aave, Compound) during deposit or withdrawal open reentrancy vectors. Use ReentrancyGuard on all state-changing vault functions. See reentrancy.

Vulnerability 4: Oracle manipulation via vault share price

Some protocols use ERC4626 share prices as price oracles. If the vault's underlying assets are manipulable via flash loans (e.g., the vault holds AMM LP tokens), the share price can be temporarily inflated to manipulate dependent protocols. See oracle manipulation.

Audit ERC4626 vaults

SmartContract.us detects share inflation vulnerability patterns, rounding direction issues, and reentrancy in vault contracts. Analyze a vault contract →