ERC4626 Inflation attack discussion

I meant something like following in ERC4626 vault where _decimalsOffset() returns 0. The attacker will be at loss initially but can turn it into profit eventually.

  • Attacker deposits 1 asset
  • Attacker shares =1
  • total shares = 2(due to virtual shares)
  • total asset = 2(due to virtual assets)

Victim wants to deposit 5000 but was frontrun:

Attacker donates = 10000

  • Attacker shares =1
  • total shares = 2(due to virtual shares)
  • total asset = 10002

Attacker loss due to virtual share of 1 = 10002/2 = 5001

  • Victim deposit = 5000
  • shares alloted = 2 * 5000/10002 = 0

Now,

  • Attacker shares =1
  • total shares = 2(due to virtual shares)
  • Victim shares = 0
  • total asset = 15002

Finally,
Attacker total deposit as of now = 15002
Attacker loss = 10000-15002/2 = 10000-7501 = 2499

With each deposits attacker will overcome loss and eventually get in profit. In this case if he had frontrun 3 victims with 5000 amount each then he would end up in profit