defirisk.co
rubric v1.7.0

First-depositor / share-inflation guard

Veda (BoringVault)'s assessment for RD-F-075 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

BoringVault's enter() mints shares where shareAmount is passed by MINTER_ROLE (Teller). Teller computes: shares = depositAmount.mulDivDown(ONE_SHARE, accountant.getRateInQuoteSafe(asset)). This means share price is driven by Accountant exchange rate, NOT by totalAssets/totalSupply ratio. Classic first-depositor donation attack (donate assets to vault → inflate share price → next depositor receives far fewer shares) is architecturally blocked because pricing is not derived from vault asset balance. However: (a) startingExchangeRate constructor parameter has no on-chain minimum — a vault deployed with a near-zero initial rate could allow abnormal initial share distribution; (b) no seed deposit is enforced at BoringVault level; (c) Share Lock Period (post-mint lock period) mitigates flash-loan manipulation. The protection is structural but relies on operator setting a reasonable startingExchangeRate. Yellow: first-depositor inflation in its classic form is blocked; residual risk from unco

Sources #

Methodology #

Determine whether the vault has a first-depositor guard (seed deposit on deploy, virtual-share offset, or floor-check).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol veda factor RD-F-075 score yellow collected_at 2026-05-17 12:41:22