Weights in Balancer Managed Pools Can Change

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2024-07-loopfi/blob/1b32965bc1ce36b885df687069880140073c6285/src/oracle/BalancerOracle.sol#L9-L12

Vulnerability details

The Balancer V2 price feed reads the weights of the Balancer pool during deployment and stores them as immutable. The oracle also supports managed pools, with getActualSupply(), but from the Balancer documentation (https://web.archive.org/web/20230928124529/https://docs.balancer.fi/concepts /pools/managed.html#weights) the weights can be changed by the pool owner. Changing the weights of the pool will break the oracle as the price of the respective lp tokens depends on these weights.

[c4-bot-6]

Discord id(s) for hunter(s): [object Object]