defirisk.co
rubric v1.7.0

First-depositor / share-inflation guard

Yearn Finance's assessment for RD-F-075 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

LIVE factor -- confirms F074 finding. Neither V2 Vyper vaults nor V3 Vyper core implement a first-depositor guard. V3 _deposit() checks: (1) assets <= max_deposit (deposit limit); (2) assets > 0; (3) shares > 0 -- no empty-vault inflation check. minimum_total_idle in V3 is a withdrawal-reserve configuration (enforced during _update_debt, not during deposit share pricing) and does not act as a first-depositor guard. V2 _issueSharesForAmount() is 1:1 at zero supply with no floor. Historical precedent: 2023-04-13 exploit (rekt.news/yearn2-rekt) involved share-price manipulation on a legacy yUSDT V1 vault (immutable Fulcrum address misconfiguration enabling share inflation). This is a related but distinct share-accounting attack class -- it confirms that share-price mechanics in Yearn legacy vaults have been exploited before. V3 has Role Manager permissioning which constrains but does not eliminate the first-depositor risk window. yAudit June 2023 audit of early Yearn V3 noted double-round

Sources #

  • GitHub
    VaultV3.vy - yearn/yearn-vaults-v3 GitHubVaultV3.vy _deposit() internal function: checks assets <= max_deposit, assets > 0, shares > 0; no empty-vault protection or floor check; minimum_total_idle enforced in _update_debt only (not deposit path)retrieved 2026-05-16
  • URL
    Yearn Vaults V3 Smart Contract Audit - ChainSecurityChainSecurity 2024-05 Yearn V3 audit: no critical/high findings; partial assurance that the V3 Vyper core share-accounting has been reviewed, but no specific virtual-share offset mitigation was addedretrieved 2026-05-16
  • URL
    06-2023 Yearn V3 Audit - yAudit ReportsyAudit 2023 Yearn V3 audit (06-2023): mint() has double-rounding issue (shares converted to assets then reconverted in _deposit); orthogonal to first-depositor guard but indicates share-accounting precision is an audit concernretrieved 2026-05-16
  • URL
    Yearn Finance - Rekt News (2023-04-13)rekt.news yearn2-rekt (2023-04-13, ~$11.4M loss): share-price manipulation on legacy yUSDT V1 vault via immutable Fulcrum address misconfiguration; demonstrates share-accounting attack precedent in Yearn vault historyretrieved 2026-05-16

Methodology #

Determine whether the vault has a first-depositor guard (seed deposit on deploy, virtual-share offset, or floor-check).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-075 score yellow collected_at 2026-05-16 08:34:32