Similarities to ERC-4626 first-deposit issue
The Vault contracts(i.e VaultV2, WooSuperchargerVaultV2) are particularly similar to the ERC-4626 vaults. The similarities include the potential issue of first-deposit, where a malicious user can front-run the first deposit of a legitimate user, and inflate their worth of shares to withdraw more than they should, leaving the legitimate user with nothing to withdraw.
To mitigate against this issue, we recommend the following:
Create "dead shares" upon the first liquidity deposit. This can be done in multiple ways, one of them being that the first deposit has to be performed by a trusted party and the shares are sent to a dead address.
Keep track of assets held by the vault internally, rather than rely on the
balanceOf
function. This way, the donated assets cannot influence the vault's internal accounting.