# 57401 sc critical erc4626 inflation attack vulnerability

**Submitted on Oct 25th 2025 at 21:17:11 UTC by @iehnnkta for** [**Audit Comp | Belong**](https://immunefi.com/audit-competition/audit-comp-belong)

* **Report ID:** #57401
* **Report Type:** Smart Contract
* **Report severity:** Critical
* **Target:** <https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/periphery/Staking.sol>
* **Impacts:**
  * Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

## Description

### Brief/Intro

`staking` contract inherits ERC4626, which by default have inflation attack vulnerability for freshly deployed vaults.

### Vulnerability Details

Attacker can manipulate the asset-to-share ratio by directly funding the contract, instead of going through the `deposit` function. The typical attack scenario was added in the PoC section.

### Impact Details

For the above attack to happen, there are a few conditions to be fulfilled:

* Deployed staking contract should not mint any tokens previously - From the script file provided, there is no initial minting happened
* No other user should stake in the vault until attacker withdraws - Which is mostly not possible

Because of the above 2 conditions, the Severity was Medium. And attacker can repeat this process indefinitely to drain all the user LONG tokens that are going to interact with the vault, if the gap between two users is larger than a day, which is likely not possible.

## Proof of Concept

{% stepper %}
{% step %}

### Step

`staking` vault get deployed. Right after that, attacker deposited 1 wei LONG token to get 1 share of sLONG token.
{% endstep %}

{% step %}

### Step

Now sees legit user deposit of 10e18 LONG tokens.
{% endstep %}

{% step %}

### Step

Attacker front-runs this transaction by sending 10e18 LONG tokens directly to the vault.
{% endstep %}

{% step %}

### Step

Now when user transaction gets executed, he gets minted with 0 shares, because of `(10e18 / (10e18+1))`.
{% endstep %}

{% step %}

### Step

Now once minimum duration passes, attacker withdraws 20e18+1 LONG tokens from the vault with 1 share itself.
{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reports.immunefi.com/belong/57401-sc-critical-erc4626-inflation-attack-vulnerability.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.