ERC-4626 virtual-share offset (OZ ≥4.9)

Fluid's assessment for RD-F-074 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Data cache confirms oz_contracts_version: '4.8.2'. OZ 4.8.2 does NOT include the virtual-share offset introduced in OZ 4.9 (August 2023, post-inflation-attack fix). GitHub fToken/variables.sol analysis confirms the contract inherits from basic ERC20 + ERC20Permit (not OZ ERC4626). Share calculation uses direct exchange-price arithmetic (sharesMinted = assets * EXCHANGE_PRICES_PRECISION / tokenExchangePrice) with no virtual offset. The minDeposit floor is a partial mitigation but not equivalent to the OZ 4.9 fix. Red: protocol is below OZ 4.9 threshold and lacks the virtual-share offset protection.

Sources #

Docs
Fluid fTokenCore documentationfTokenCore autogenerated docs — sharesMinted = (assets * EXCHANGE_PRICES_PRECISION) / tokenExchangePrice formula; no virtual offsetretrieved 2026-04-29
GitHub
Fluid fToken variables.sol — share accountingfluid-contracts-public/contracts/protocols/lending/fToken/variables.sol — inherits ERC20, ERC20Permit; no virtual shares; exchange price state variablesretrieved 2026-04-29
GitHub
Fluid GitHub — OZ 4.8.2 dependencyfluid-contracts-public: oz_contracts_version: 4.8.2 (data cache)retrieved 2026-04-29

Methodology #

Determine whether ERC-4626 vaults use OpenZeppelin ≥4.9 virtual-share offset pattern to prevent first-depositor share-inflation.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol fluid factor RD-F-074 score red collected_at 2026-04-29 10:35:01