Skip to content

TRC-4626: the share-inflation mitigation note agreed in #840 is missing from the published spec #897

Description

@BlackChar92

Follow-up to the discussion in #840. There, the first-depositor / share-inflation (donation) attack was raised (@Sunny6889) and the conclusion (@yanghang8612) was to fold a non-normative implementation note — virtual shares/assets offset and initial-seeding as mitigations, plus decimal-basis guidance — into Security Considerations when graduating to Last Call, without changing the interface.

That note doesn't appear in the published tip-4626.md. The current Security Considerations cover malicious implementations, EOA slippage, preview-as-oracle manipulation, and rounding direction, but not the inflation/donation attack or its mitigation (no mention of inflation / donation / virtual shares / first-depositor / empty-vault).

This is worth closing because the rounding-down-to-favor-the-vault rule already in the spec does not by itself prevent the empty-vault donation attack — the mitigation is the virtual-shares offset or seeding, which the spec currently leaves implementers to rediscover (the exact outcome #840 set out to avoid).

Proposed addition to Security Considerations (non-normative, no interface change):

Share-inflation / first-depositor (donation) attack. When a vault is empty or near-empty, an attacker can mint a tiny number of shares and then transfer assets directly into the vault, inflating the share price so that subsequent deposits round down to zero shares and are absorbed by the attacker. Favorable rounding alone does not prevent this. Implementations SHOULD mitigate it, e.g. via a virtual shares/assets offset (as in OpenZeppelin's implementation) or by seeding a non-trivial initial deposit at vault creation. The attack cost scales with the vault asset's decimals, not the chain's native-coin decimals — a 6-decimal asset (e.g. USDT) is cheaper to attack than an 18-decimal one.

Happy to open a PR with this wording if useful.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions