In the _getReserves function of the AuraBalancerSupply contract, the totalSupply function is incorrectly used to obtain the supply, which may cause the final calculated supply to be incorrect.
Vulnerability Detail
In the _getReserves function, the totalSupply function is used to obtain the supply. According to Balancer's suggestion in the comments, the supply obtained by totalSupply is inaccurate. If there are anti-reentrancy measures, it is best to use getActualSupply.
function _getReserves(Pool storage pool) internal view returns (SPPLYv1.Reserves memory) {
// Get the balancer pool token balance of the manager
uint256 balBalance = pool.balancerPool.balanceOf(polManager);
// If an aura pool is defined, get the underlying balance and add to the balancer pool balance before adding to the total POL supply
// We don't have to do a ERC4626 shares to assets conversion because aura pools are all 1:1 with balancer pool balances
if (address(pool.auraPool) != address(0)) balBalance += pool.auraPool.balanceOf(polManager);
// Get the pool tokens and total balances of the pool
(address[] memory _vaultTokens, uint256[] memory _vaultBalances, ) = balVault.getPoolTokens(
pool.balancerPool.getPoolId()
);
// Get the total supply of the balancer pool
uint256 balTotalSupply = pool.balancerPool.totalSupply();
Impact
This may lead to supply inaccuracies, which may affect OHM's exchange price.
function _getReserves(Pool storage pool) internal view returns (SPPLYv1.Reserves memory) {
// Get the balancer pool token balance of the manager
uint256 balBalance = pool.balancerPool.balanceOf(polManager);
// If an aura pool is defined, get the underlying balance and add to the balancer pool balance before adding to the total POL supply
// We don't have to do a ERC4626 shares to assets conversion because aura pools are all 1:1 with balancer pool balances
if (address(pool.auraPool) != address(0)) balBalance += pool.auraPool.balanceOf(polManager);
// Get the pool tokens and total balances of the pool
(address[] memory _vaultTokens, uint256[] memory _vaultBalances, ) = balVault.getPoolTokens(
pool.balancerPool.getPoolId()
);
// Get the total supply of the balancer pool
uint256 balTotalSupply = pool.balancerPool.totalSupply();
Tool used
Manual Review
Recommendation
The contract already uses the anti-reentrancy method, so it is recommended to use the getActualSupply function.
Drynooo
medium
Wrong function used to get totalSupply
Summary
In the _getReserves function of the AuraBalancerSupply contract, the totalSupply function is incorrectly used to obtain the supply, which may cause the final calculated supply to be incorrect.
Vulnerability Detail
In the _getReserves function, the totalSupply function is used to obtain the supply. According to Balancer's suggestion in the comments, the supply obtained by totalSupply is inaccurate. If there are anti-reentrancy measures, it is best to use getActualSupply.
AuraBalancerSupply.sol#L345C34-L345C66
Impact
This may lead to supply inaccuracies, which may affect OHM's exchange price.
Code Snippet
AuraBalancerSupply.sol#L345C34-L345C66
Tool used
Manual Review
Recommendation
The contract already uses the anti-reentrancy method, so it is recommended to use the getActualSupply function.
Duplicate of #155