defirisk.co
rubric v1.7.0

ERC-4626 virtual-share offset (OZ ≥4.9)

Yearn Finance's assessment for RD-F-074 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

LIVE factor — Yearn is ERC-4626. The Vyper V3 core vault (VaultV3.vy, API_VERSION 3.0.4) does NOT implement the OZ 4.9.x virtual-share offset (_decimalsOffset pattern). Raw source analysis: _convert_to_shares() returns assets 1:1 when total_supply == 0; initialize() has no dead-shares mechanism or seed deposit parameter; VaultFactory.vy deploy_new_vault() has no initial_deposit or dead_shares parameter. The OZ 4.9.5 oz_contracts_version cited in cache applies to the Solidity periphery only (ERC4626Router, TokenizedStrategy Solidity wrapper) -- NOT to the Vyper core vault. V2 Vault.vy has the same gap: _issueSharesForAmount() returns amount 1:1 when totalSupply == 0. Mitigants: (1) V3 vaults are deployed by permissioned actors (Yearn team / Role Manager), not permissionless -- attack requires controlling the first deposit; (2) Role Manager configuration of strategies is staged separately from vault deployment, providing an operational window to seed the vault; (3) ChainSecurity 2024-05

Sources #

  • GitHub
    VaultV3.vy - yearn/yearn-vaults-v3 GitHubVaultV3.vy master branch: _convert_to_shares() returns assets 1:1 when total_supply==0; initialize() params: asset, name, symbol, role_manager, profit_max_unlock_time -- no dead-shares or seed deposit; API_VERSION constant = '3.0.4'retrieved 2026-05-16
  • URL
    Yearn Vaults V3 Smart Contract Audit - ChainSecurityChainSecurity audit of Yearn V3 Vaults (2024-05): scope covers VaultV3.vy; findings summary shows no critical or high-severity issues; two medium correctness issues resolvedretrieved 2026-05-16
  • GitHub
    Vault.vy - yearn/yearn-vaults-v2 GitHubV2 Vault.vy master: _issueSharesForAmount() returns amount when totalSupply==0 (1:1, no floor check); _shareValue() returns shares 1:1 at zero supply. No virtual-share offset in V2 Vyper vault.retrieved 2026-05-16
  • Internal
    Yearn Finance Protocol Profile (economic flags)00-profile.md section 11 (flags for economic analyst): 'OZ 4.9.5 virtual-shares mitigation applies to Solidity periphery ONLY; verify whether the Vyper V3 vault core independently implements dead-shares / virtual-offset guard (F074/F075)' -- confirmed absentretrieved 2026-05-16

Methodology #

Determine whether ERC-4626 vaults use OpenZeppelin ≥4.9 virtual-share offset pattern to prevent first-depositor share-inflation.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-074 score yellow collected_at 2026-05-16 08:34:32