'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
OpenEden Disclosed Report
Audit report OpenEden USDO Express Smart Contract Audit ContestcUSDO ERC4626 First Depositor Inflation Attack: Griefing Vector with 9-25% User Fund Loss
Target
https://github.com/OpenEdenHQ/openeden.usdoexpress.audit/tree/f3f31d2ac15e3253cba342229f9d05495f95d6fd
Vulnerability Details
Contract: cUSDO.sol https://github.com/OpenEdenHQ/openeden.usdoexpress.audit/blob/f3f31d2ac15e3253cba342229f9d05495f95d6fd/contracts/tokens/cUSDO.sol#L39
Location: Inherits standard ERC4626Upgradeable without virtual shares offset protection
Type: Griefing Attack / User Fund Loss / ERC4626 Inflation Vulnerability
Vulnerability Description
cUSDO uses standard OpenZeppelin ERC4626Upgradeable implementation with default _decimalsOffset() = 0, which provides minimal virtual shares protection but is insufficient to prevent user fund loss. Despite OpenZeppelin's virtual offset mechanism making the attack "non-profitable" for attackers, victims still lose 9-25% of their deposits.
This is a griefing attack where attacker loses money (-20K USDO) but causes 10K+ losses for victims. The default offset=0 adds +1 virtual share to calculations, preventing attacker profit but not preventing victim losses.
Root Cause
cUSDO inherits standard ERC4626 with default _decimalsOffset() = 0:
// cUSDO.sol:38-45
contract cUSDO is
ERC4626Upgradeable, // ⚠️ Uses offset=0 (insufficient protection)
AccessControlUpgradeable,
PausableUpgradeable,
UUPSUpgradeable,
IERC20PermitUpgradeable,
EIP712Upgradeable
{
// Inherits _decimalsOffset() = 0 from OpenZeppelin
// This adds +1 virtual share/asset but is INSUFFICIENT
// No minimum first deposit requirement
// No checks against donation attacks
}
OpenZeppelin ERC4626 Share Calculation with offset=0:
// OpenZeppelin ERC4626Upgradeable internal functions:
function _convertToShares(uint256 assets) internal view returns (uint256) {
// offset=0 means 10^0 = 1 virtual share added
return assets * (totalSupply + 1) / (totalAssets + 1);
}
function _convertToAssets(uint256 shares) internal view returns (uint256) {
// offset=0 means 10^0 = 1 virtual asset added
return shares * (totalAssets + 1) / (totalSupply + 1);
}
// With 1 wei initial deposit and 50K donation:
totalAssets = 50,000e18 + 1
totalSupply = 1
// Victim deposits 100K USDO with virtual offset:
shares = 100,000e18 * (1 + 1) / (50,000e18 + 1 + 1)
shares = 100,000e18 * 2 / 50,000e18
shares = 4 (but victim only gets 3 after rounding)
// Attacker redeems 1 share:
assets = 1 * (150,000e18 + 1) / (4 + 1)
assets = 30,000e18 (attacker gets 30K, loses 20K net)
// Victim gets remaining: 90K (loses 10K)
The Problem:
- ✅ offset=0 does add +1 virtual protection
- ❌ But +1 is insufficient for large donations (50K)
- ❌ Makes attack "non-profitable" but NOT "prevented"
- ❌ Attacker loses money BUT victims still lose 9-25%
- ❌ This is a griefing attack (attacker damages victims despite own loss)
Impact
- User Fund Loss: Victims lose 9-25% of deposits (confirmed in tests)
- Griefing Attack: Attacker loses money (-20K) but damages victims
- Early Depositor Risk: First users after attacker suffer most
- KYC Doesn't Prevent: Attack works even with KYC (just traceable)
- No User Protection: Victims have no way to detect or prevent attack
Validation steps
Exploitation Scenario
Description: Attacker deposits 1 wei, donates 50K USDO, victim loses 10K (9% of 100K deposit).
Test: test/cUSDO_InflationAttack.t.sol::test_InflationAttack_BasicScenario()
Attack Flow
Step 1: Attacker deposits 1 wei and donates 50K USDO
cusdo.deposit(1, attacker) → 1 share
usdo.transfer(cusdo, 50_000e18) → donation
Result:
totalAssets = 50,000 USDO
totalSupply = 1 share
Price per share = 50,000 USDO
Step 2: Victim deposits 100K USDO
cusdo.deposit(100_000 USDO, victim)
Calculation with offset=0:
shares = 100,000 * (1 + 1) / (50,000 + 1)
shares = 100,000 * 2 / 50,000 = 4
But victim only gets 3 shares after rounding!
Expected: 100,000 shares
Actual: 3 shares
Step 3: Both redeem
Attacker redeems 1 share:
assets = 1 * 150,000 / 4 = 30,000 USDO
Loss: 50,000 - 30,000 = -20,000 USDO ❌
Victim redeems 3 shares:
assets = 3 * 120,000 / 3 = 90,000 USDO
Loss: 100,000 - 90,000 = -10,000 USDO ❌
Result:
Attacker: -20,000 USDO (griefing cost)
Victim: -10,000 USDO (9% loss)
This is a GRIEFING attack - attacker loses to damage victims
Test Implementation
File: test/cUSDO_InflationAttack.t.sol
Run Tests:
forge test --match-contract cUSDOInflationAttackTest -vv
Test Results:
[PASS] test_InflationAttack_BasicScenario()
Victim loss: 9,999 USDO (9%)
Attacker loss: 20,000 USDO (griefing)
[PASS] test_InflationAttack_SevereRounding()
Victim loss: 10,000 USDO (25%)
Worst case confirmed
[PASS] test_InflationAttack_MitigationWorks()
With admin initial deposit: victim loss ~0
[PASS] test_VerifyInsufficientOffset()
Confirmed: offset=0 adds +1 but insufficient
Summary
This vulnerability demonstrates how insufficient virtual shares offset (offset=0) causes user fund loss:
- 9-25% User Loss: Confirmed in tests (10K loss from 100K deposit)
- Griefing Attack: Attacker loses 20K but damages victims 10K
- OpenZeppelin Confirmed: Their docs state offset=0 makes attack "non-profitable" but NOT "prevented"
- No User Protection: Victims cannot detect or prevent attack
OpenZeppelin's Assessment:
"While not fully preventing the attack, analysis shows that the default offset (0) makes it non-profitable"
This confirms offset=0 exists but is insufficient - attack still causes victim losses.
Real-World Probability:
- Malicious Attack: LOW (requires 50K capital + attacker loses money)
- KYC Impact: Makes attacker traceable but doesn't prevent attack technically
Recommended Fix
Admin Initial Deposit (Recommended)
Deploy cUSDO with admin making first deposit:
// During deployment
1. Deploy cUSDO
2. Admin deposits 1,000 USDO initially
3. cUSDO now has sufficient liquidity to prevent inflation
// Result: Price manipulation becomes impractical
Benefits:
- ✅ Prevents attack completely
- ✅ Only 1,000 USDO needed
- ✅ No code changes required
- ✅ Used by major protocols (Uniswap, Curve)
Alternative: Increase Virtual Offset
contract cUSDO is ERC4626Upgradeable {
function _decimalsOffset() internal pure virtual override returns (uint8) {
return 3; // 10^3 = 1000 virtual shares (vs default 10^0 = 1)
}
}
This makes attack "orders of magnitude more expensive" (per OpenZeppelin docs).
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (4) 
