First-depositor / share-inflation guard

Beefy Finance's assessment for RD-F-075 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

BeefyVaultV7 has NO first-depositor protection in contract code. Source-confirmed deposit function: when totalSupply()==0, shares=_amount (1:1, no guard). No virtual offset, no dead-share seed, no minimum initial deposit enforced on-chain. Classic donation+rounding share-inflation attack is structurally possible. Practical mitigants (not contract-enforced): (1) Beefy's operational launch process requires some TVL before live exposure (web search: 'empty vaults will fail validation checks'); (2) active vaults have per-vault TVL typically in the tens of thousands to millions making attacks economically costly; (3) attack window is narrowest at vault launch. Zellic's 2023-08 ERC-4626 Wrapper audit did address the inflation attack in the wrapper product (fixed in commit 39a7e1a), but the underlying BeefyVaultV7 core vault remains unprotected at the contract level. Scored yellow: real structural weakness, but practical exploitability is mitigated by operational practice and active vault TVL

Sources #

GitHub
BeefyVaultV7.sol — deposit function (no first-depositor guard confirmed)BeefyVaultV7.sol deposit() — 'if (totalSupply() == 0) { shares = _amount; }' — no first-depositor guard (WebFetch 2026-05-16)retrieved 2026-05-16
Docs
Beefy SAFU Practices Documentationdocs.beefy.finance/safety/beefy-safu-practices — no share inflation protection mechanisms mentionedretrieved 2026-05-16
Audit
Beefy Zellic 4626 Wrapper Audit — inflation attack finding and fixZellic ERC-4626 Wrapper Audit 2023-08-03 — inflation attack risk in wrapper, fixed; core BeefyVaultV7 not ERC-4626 and does not benefit from wrapper fixretrieved 2026-05-16
Docs
Beefy Vault Contract Documentationdocs.beefy.finance/developer-documentation/vault-contract — no first-depositor protection documented; getPricePerFullShare() handles zero totalSupply with 1e18 floor, no guardretrieved 2026-05-16

Methodology #

Determine whether the vault has a first-depositor guard (seed deposit on deploy, virtual-share offset, or floor-check).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol beefy factor RD-F-075 score yellow collected_at 2026-05-16 13:10:30