“Ethereum Request for Comments”, or ERC, is essentially a set of rules that smart contracts built on Ethereum blockchain need to follow. These rules dictate how tokens and contracts are created and used in the Ethereum network.
Think of ERC-20 as the foundational element for creating new tokens on Ethereum. It provides basic instructions and functionalities that any token in the Ethereum network must adhere to. Like ERC-20, there are several other ERC standards like ERC-721, ERC-725, ERC 4337 and ERC-4626, each to serve its own set of purposes.
In this blog, we’ll take a closer look at ERC-4626, specifically its role as a vault standard and the security concerns associated with it.
What is a yield-bearing Vault?
Let’s first understand what a yield-bearing vault is. A vault is a digital safe for cryptocurrencies but comes with extra features. Yield-bearing vault incorporates smart contracts that assist users in maximizing the yields from their digital assets.
These smart contracts play a crucial role: they accept token deposits from users and, in turn, provide them with yield-bearing vault tokens. For example, if you deposit DAI into a vault, you’d get vDAI (vault DAI) in return.
These vaults are designed with pre-defined strategies to generate earnings through reallocating capital, auto compounding and rebalancing.
In this way, the tokens you put into a vault generate yields. However, things get tricky when you want to bring tokens from different protocols together in one place.
ERC-4626: Overcoming The Complexities
To build a DeFi application that supports different yield-bearing tokens, the developers need to do a lot of research to understand how each token generates yields and write extra code to integrate each token’s yield method into the application. As you see, the complexity of this process introduces the potential for errors or inaccuracies in the code.
This is where the ERC-4626 tokenized vault standard steps in. It simplifies the process of combining different tokens while reducing the chances of coding errors.
Processing In ERC-4626 vault contract
Now, let’s get to the workings of the vault in generating yields.
- Firstly, users deposit their assets into a smart contract vault. All the token assets are pooled, and the vault gives them ERC-20 tokens that represent the user’s share of deposited tokens in the pool.
- Each vault has strategies programmed in it to generate high yields for the deposited token. They are allocated in a way to ensure the rewards from the token withholdings are high for the users.
- The Vault allocates tokens as per the programmed condition and also retains a percentage of tokens within the reserves. In case the user wants to withdraw, the tokens from the reserves are distributed first before redeeming from the allocated sources.
Understanding ERC-4626 interface
The Ethereum ERC-4626 is an extension of the ERC-20 contract and standardizes Deposits and withdrawals and its interface. By this, it means when an ERC4626 contract distributes shares(i.e. ERC-20 tokens) for the initial deposit, it gives you an ERC20-compliant token.
Functions and Events of ERC-4626
There are some important functions and events to know about this standard. Let’s get in and explore what they are.
Asset and totalAsset
Asset function returns the address of the underlying token used for the vault for accounting, depositing, and withdrawing.
The total amount of the underlying asset held by the smart contract vault is given under totalAssets.
Deposit function is used when an user deposits any function in the vault. This function triggers the smart contract to distribute an equivalent amount of shares to the depositor.
As an event, the smart contract must be triggered whenever there is a deposit or withdrawal. The code for the event is given below.
When the users want to withdraw their assets from the vault, the Withdraw function allows the owner to burn shares in return for assets.
This function burns shares from the owner and gives out exactly the assets(tokens) to the receiver.
Mint and maxMint
The Mint function deposits the user’s assets and exactly shares the vault token share to the user.
maxMint returns the maximum amount of shares minted in a single mint call initiated by the receiver
redeem and maxRedeem
Redeem function retrieves specific shares from the owner and gives assets of the underlying token to the receiver.
maxRedeem returns the maximum amount of shares redeemed from the owner’s balance through redeem call.
Preview function is used alongside other functions such as deposit, withdrawal, mint and deposit. It simulates the effects of respective function at the current block.
convertToShares and convertToAssets
There are two convert functions:
convertToShares – converts assets to shares and gives exactly the number of shares for the underlying asset
convertToAssets – that converts shares to assets and returns the amount of assets in exchange for the amount of shares provided to the vault.
This event is triggered when the user deposits a token into the vault.
This event is triggered when shares are withdrawn from the vault by the depositor
Vulnerabilities and Security Concerns: ERC – 4626
Working on a fully permissionless basis, any malicious implementations can be a threat to losing user deposits. Here are some common issues these smart contracts are prone to.
Share Inflation: When a user deposits a certain amount of an asset into the contract, they receive a corresponding amount of share in proportion to the total assets deposited. These shares can be distinct tokens or an internal state variable.
Shares for the underlying assets are calculated using the formula below.
This introduces the chances for share inflation when the malicious actor alters the ratio between the shares to deposited assets.
Incorrect Rounding: Next is incorrect rounding, which arises when the process of depositing and withdrawing assets disproportionately benefits the user. In simpler terms, favourable rounding occurs when users end up with a greater number of shares compared to the assets they initially deposited or they receive more assets than they should when redeeming shares. This situation typically arises when developers fail to accurately round values with respect to the specific function invoked by a user.
The absence of a common standard posed a huge challenge for developers to bring together different yield-bearing tokens. However, with ERC-4626, it is now easy to access information about these yield-bearing tokens using just one API call. This standard makes it much simpler to enhance the security of DeFi applications that deal with these yield-bearing tokens.
At QuillAudits, we’re at the forefront of Web3 security, offering cutting-edge solutions to tackle any type of security concern. Feel free to get in touch with our experts for any Web3 security-related assistance.