ERC-4626 virtual-share offset (OZ ≥4.9)
Frax Finance's assessment for RD-F-074 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
sfrxETH (ERC-4626, address 0xac3E018457B222d93114458476f3E3416Abbe38F) is the highest-TVL ERC-4626 vault in the Frax stack. sfrxETH.sol imports from custom xERC4626 base contract — NOT the OpenZeppelin >=4.9 ERC-4626 implementation that includes the virtual-share offset mechanism. The OZ virtual offset (introduced in OZ 4.9 to prevent share inflation attacks on first deposit) is not confirmed present. sfrxETH was launched in 2022, pre-dating OZ 4.9 virtual offset. The Code4rena 2022-09 audit reviewed frxETH/sfrxETH — if a share inflation gap existed at that scope level it would likely have been flagged, but this is not confirmed without reading the full audit PDF. Fraxlend fTokens also use ERC-4626 without documented virtual offset. Yellow: OZ virtual offset not confirmed; custom xERC4626 base warrants curator inspection.
Sources #
- AuditCode4rena frxETH Audit Report 2022-09Code4rena frxETH 2022-09 competitive audit: reviewed sfrxETH ERC-4626 implementation; most comprehensive public review of sfrxETH share mechanicsretrieved 2026-05-17
- FraxFinance/frxETH-public: sfrxETH.solfrxETH-public/sfrxETH.sol: imports xERC4626 base (not OZ >=4.9); no virtual offset visible in 101-line wrapperretrieved 2026-05-17
- sfrxETH Token — EtherscansfrxETH token on Etherscan: ERC-4626 confirmed; totalSupply ~41,190 sfrxETH; 3,915 holdersretrieved 2026-05-17
Methodology #
Determine whether ERC-4626 vaults use OpenZeppelin ≥4.9 virtual-share offset pattern to prevent first-depositor share-inflation.
See the full factor methodology and distribution across all protocols →