ERC-4626 first-depositor inflation → drain new deposits
Be the first depositor with 1 wei → mint 1 share. Send tokens directly to the vault to inflate share price. Every subsequent depositor's amount, integer-divided by the inflated rate, rounds to zero shares.
§ Context
Assumed environment: target deployed a fresh ERC-4626 vault without virtual-share / virtual-asset protection (the OpenZeppelin v5 mitigation). No pre-deposit of liquidity by the deployer.
§ Steps
- 01Withdraw inflated share — pockets the rounded-out depositsExfiltrationT1041— Exfiltration Over C2 Channel
- 02Wait for new depositorsInitial AccessT1078— Valid Accounts
- 03Be the first depositor (1 wei)Initial AccessT1078— Valid Accounts
- 04Share price now massively inflatedImpactAA-4626-INFLATION— ERC-4626 Vault Inflation Attack
- 05Transfer tokens directly to vault addressImpactAA-4626-INFLATION— ERC-4626 Vault Inflation Attack
§ References
§ Frequently asked
- What is the "ERC-4626 first-depositor inflation → drain new deposits" attack path?
- Be the first depositor with 1 wei → mint 1 share. Send tokens directly to the vault to inflate share price. Every subsequent depositor's amount, integer-divided by the inflated rate, rounds to zero shares. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Withdraw inflated share — pockets the rounded-out deposits (T1041) — a exfiltration primitive. Assumed environment: target deployed a fresh ERC-4626 vault without virtual-share / virtual-asset protection (the OpenZeppelin v5 mitigation).
- What is the final impact of this kill-chain?
- The final step lands on Transfer tokens directly to vault address (AA-4626-INFLATION), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
- Shared techniques2
Apple Pay Express Transit relay → high-value contactless fraud
Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.
- Shared techniques2
Vesting beneficiary replace → silently drain stream
Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.
- Shared techniques2
Insider admin panel coercion → mass account takeover (Twitter 2020)
Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.
- Shared techniques2
SAML signature wrapping (XSW) → impersonate admin
Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.
- Shared techniques2
MEV bot honeypot → drain searcher
Plant a transaction that looks like easy arbitrage in the public mempool. The MEV searcher bot front-runs into a trap contract whose 'profit' function reverts and seizes the searcher's gas + funds.