Audit - M04 #9
Description
Inflation attack:
Dullahan Vault:
In case of the Vault, the shares are rebasing tokens, meaning any depositor will receive the same exact amount of dstkAAVE that the stkAAVE deposited. In case of a direct transfer to the Vault be an attacker before a user deposit, it will not impact the amount of dstkAAVE minted for the depositor. Instead, it will increase all previous depositors dstkAAVE balances (the same way it is increased when the Vault claims AAVE rewards and stake them for stkAAVE)
Dullahan Rewards Staking:
In the case of the Staking contract, this type of inflation attack would work only if the depositor was the 1st to deposit, and the contract was empty. This is why an initial deposit is done during the initialization, to prevent from such attacks.
After, if an attacker sends tokens directly to the contract right before an user deposit, the funds will be absorbed in the index (increasing all previous depositors position), but for the user depositing, the amount of shares minted will end up representing their share of the total funds in the contract correctly.