ERC 4626 Token Standard And Its Security Concerns Explained

ERC 4626 Token Standard And Its Security Concerns Explained

ERC 4626 Token Standard And Its Security Concerns Explained

ERC 4626 Token Standard And Its Security Concerns Explained

ERC 4626 Token Standard And Its Security Concerns Explained

Read Time: 7 minutes

“Ethereum Request for Comments”, or ERC, is essentially a set of rules that smart contracts built on Ethereum blockchain need to follow. These rules dictate how tokens and contracts are created and used in the Ethereum network.

Think of ERC-20 as the foundational element for creating new tokens on Ethereum. It provides basic instructions and functionalities that any token in the Ethereum network must adhere to. Like ERC-20, there are several other ERC standards like ERC-721, ERC-725, ERC 4337 and ERC-4626, each to serve its own set of purposes.

In this blog, we’ll take a closer look at ERC-4626, specifically its role as a vault standard and the security concerns associated with it.

What is a yield-bearing Vault?

Let’s first understand what a yield-bearing vault is. A vault is a digital safe for cryptocurrencies but comes with extra features. Yield-bearing vault incorporates smart contracts that assist users in maximizing the yields from their digital assets.

These smart contracts play a crucial role: they accept token deposits from users and, in turn, provide them with yield-bearing vault tokens. For example, if you deposit DAI into a vault, you’d get vDAI (vault DAI) in return. 

These vaults are designed with pre-defined strategies to generate earnings through reallocating capital, auto compounding and rebalancing.

In this way, the tokens you put into a vault generate yields. However, things get tricky when you want to bring tokens from different protocols together in one place.

ERC-4626: Overcoming The Complexities

To build a DeFi application that supports different yield-bearing tokens, the developers need to do a lot of research to understand how each token generates yields and write extra code to integrate each token’s yield method into the application. As you see, the complexity of this process introduces the potential for errors or inaccuracies in the code.

This is where the ERC-4626 tokenized vault standard steps in. It simplifies the process of combining different tokens while reducing the chances of coding errors.

Processing In ERC-4626 vault contract

Now, let’s get to the workings of the vault in generating yields. 

  • Firstly, users deposit their assets into a smart contract vault. All the token assets are pooled, and the vault gives them ERC-20 tokens that represent the user’s share of deposited tokens in the pool.
  • Each vault has strategies programmed in it to generate high yields for the deposited token. They are allocated in a way to ensure the rewards from the token withholdings are high for the users. 
  • The Vault allocates tokens as per the programmed condition and also retains a percentage of tokens within the reserves. In case the user wants to withdraw, the tokens from the reserves are distributed first before redeeming from the allocated sources. 

Understanding ERC-4626 interface

The Ethereum ERC-4626 is an extension of the ERC-20 contract and standardizes Deposits and withdrawals and its interface. By this, it means when an ERC4626 contract distributes shares(i.e. ERC-20 tokens) for the initial deposit, it gives you an ERC20-compliant token.

Functions and Events of ERC-4626

There are some important functions and events to know about this standard. Let’s get in and explore what they are.

Asset and totalAsset

Asset function returns the address of the underlying token used for the vault for accounting, depositing, and withdrawing.

The total amount of the underlying asset held by the smart contract vault is given under totalAssets.


Deposit function is used when an user deposits any function in the vault. This function triggers the smart contract to distribute an equivalent amount of shares to the depositor. 

As an event, the smart contract must be triggered whenever there is a deposit or withdrawal. The code for the event is given below. 


When the users want to withdraw their assets from the vault, the Withdraw function allows the owner to burn shares in return for assets. 

This function burns shares from the owner and gives out exactly the assets(tokens) to the receiver. 

Mint and maxMint

The Mint function deposits the user’s assets and exactly shares the vault token share to the user. 

maxMint returns the maximum amount of shares minted in a single mint call initiated by the receiver

redeem and maxRedeem

Redeem function retrieves specific shares from the owner and gives assets of the underlying token to the receiver.

maxRedeem returns the maximum amount of shares redeemed from the owner’s balance through redeem call.


Preview function is used alongside other functions such as deposit, withdrawal, mint and deposit. It simulates the effects of respective function at the current block. 





convertToShares and convertToAssets

There are two convert functions:

convertToShares – converts assets to shares and gives exactly the number of shares for the underlying asset

convertToAssets – that converts shares to assets and returns the amount of assets in exchange for the amount of shares provided to the vault. 

Deposit Event

This event is triggered when the user deposits a token into the vault. 

Withdraw Event

This event is triggered when shares are withdrawn from the vault by the depositor

Vulnerabilities and Security Concerns: ERC – 4626

Working on a fully permissionless basis, any malicious implementations can be a threat to losing user deposits. Here are some common issues these smart contracts are prone to.

Share Inflation: When a user deposits a certain amount of an asset into the contract, they receive a corresponding amount of share in proportion to the total assets deposited. These shares can be distinct tokens or an internal state variable. 

Shares for the underlying assets are calculated using the formula below.

This introduces the chances for share inflation when the malicious actor alters the ratio between the shares to deposited assets. 

Incorrect Rounding: Next is incorrect rounding, which arises when the process of depositing and withdrawing assets disproportionately benefits the user. In simpler terms, favourable rounding occurs when users end up with a greater number of shares compared to the assets they initially deposited or they receive more assets than they should when redeeming shares. This situation typically arises when developers fail to accurately round values with respect to the specific function invoked by a user.

Wrapping Up

The absence of a common standard posed a huge challenge for developers to bring together different yield-bearing tokens. However, with ERC-4626, it is now easy to access information about these yield-bearing tokens using just one API call. This standard makes it much simpler to enhance the security of DeFi applications that deal with these yield-bearing tokens.

At QuillAudits, we’re at the forefront of Web3 security, offering cutting-edge solutions to tackle any type of security concern. Feel free to get in touch with our experts for any Web3 security-related assistance.


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+