Incorrect total supply calculation in Balancer Weighted Pools

Summary

The calculation of the total supply in Balancer Weighted Pools incorrectly uses the totalSupply function, leading to an inaccurate determination of the BPT (Balancer Pool Token) price.

Vulnerability Detail

When determining the unit price of the pool token for the Balancer weighted pool, the function getWeightedPoolTokenPrice gets the pool's total supply by calling pool.totalSupply.

    uint256 poolSupply_ = pool.totalSupply();

https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/PRICE/submodules/feeds/BalancerPoolTokenPrice.sol#L402

However, using totalSupply is inappropriate. The correct approach is to use the getActualSupply function. The getActualSupply accounts for pre-minted BPT and due protocol fees, which are not considered in the totalSupply calculation. This distinction is critical for accurate valuation, as totalSupply does not reflect the pool's actual indebtedness to the protocol.

Reference from Balancer documentation:

    getActualSupply

    This is the most common/current function to call. getActualSupply is used by the most recent versions of Weighted and Stable Pools. It accounts for pre-minted BPT as well as due protocol fees.

https://docs.balancer.fi/concepts/advanced/valuing-bpt/valuing-bpt.html#getactualsupply

Impact

Using the incorrect poolSupply value leads to a miscalculation of the poolTokenPrice. The protocol will exchanging ohm for the assets at a wrong price.

Code Snippet

https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/PRICE/submodules/feeds/BalancerPoolTokenPrice.sol#L402

Tool used

Manual Review

Recommendation

To ensure accurate total supply calculation, replace the totalSupply call with getActualSupply.

Duplicate of #155

sherlock-audit / 2023-11-olympus-judging

ast3ros - Incorrect total supply calculation in Balancer Weighted Pools #194