BadgerYieldSource balanceOfToken share calculation seems wrong

[code423n4]

Handle

cmichel

Vulnerability details

When suppling to the BadgerYieldSource, some amount of badger is deposited to badgerSett and one receives badgerSett share tokens in return which are stored in the balances mapping of the user. So far this is correct.

The balanceOfToken function should then return the redeemable balance in badger for the user's badgerSett balance. It computes it as the pro-rata share of the user balance (compared to the total-supply of badgerSett) on the badger in the vault:

balances[addr].mul(
  badger.balanceOf(address(badgerSett))
).div(
  badgerSett.totalSupply()
)

However, badger.balanceOf(address(badgerSett)) is only a small amount of badger that is deployed in the vault ("Sett") due to most of the capital being deployed to the strategies. Therefore, it under-reports the actual balance:

Typically, a Sett will keep a small portion of deposited funds in reserve to handle small withdrawals cheaply. Badger Docs

Impact

Any contract or user calling the balanceOf function will receive a value that is far lower than the actual balance. Using this value as a basis for computations will lead to further errors in the integrations.

Recommended Mitigation Steps

It should use badgerSett.balance() instead of badger.balanceOf(address(badgerSett)) to also account for "the balance in the Sett, the Controller, and the Strategy".