First-depositor / share-inflation guard
Multipli's assessment for RD-F-075 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Same evidence base as F074. OZ ERC4626Upgradeable with default _decimalsOffset()=0 provides 1 virtual asset/share — minimal guard against first-depositor share-inflation attack. OZ explicitly advises vault deployers to make a non-trivial initial seed deposit for additional protection. No evidence of such a seed deposit at vault deployment (not mentioned in docs, not in audit findings summaries, not in llms-full.txt). Source code inaccessible (GitHub raw 404; no Etherscan addresses). Current TVL (~$350M) makes active first-depositor attack practically infeasible today (manipulation profit << gas + capital cost at this TVL scale). However, at vault genesis/early stage this was a live risk surface. Shieldify June 2025 'ERC-4626 Vault' audit likely addressed this; PDF inaccessible. Yellow: nominal OZ protection exists; confirmed guard (seed deposit or offset override) not evidenced; source unverifiable.
Sources #
- AuditShieldify Audits Portfolio — Multipli Vault Security ReviewShieldify audit #95 — Multipli Vault Security Review (June 2025, ERC-4626 scope): PDF inaccessible; findings not publicly summarizedretrieved 2026-05-17
- Multipli Full Documentation CorpusMultipli docs llms-full.txt: no mention of first-depositor protection mechanism in full documentation corpusretrieved 2026-05-17
- OZ ERC4626Upgradeable.sol — GitHubOZ ERC4626Upgradeable — no explicit first-depositor guard in base; documentation recommends seed deposit by deployerretrieved 2026-05-17
Methodology #
Determine whether the vault has a first-depositor guard (seed deposit on deploy, virtual-share offset, or floor-check).
See the full factor methodology and distribution across all protocols →