Wrong methodology for stable BPT price calculation
Summary
The current methodology for determining the price of the BPT token in the Balancer Stable pool is inaccurate and may lead to significant deviations from the actual price.
Vulnerability Detail
Currently, to determine the price of the BPT token in the Balancer Stable pool, the current rate is multiplied by the lowest price among the prices of all assets in the pool. This approach resembles the methodology used by Curve, but Balancer pools are different, making this methodology incorrect for them. I will examine a real pool example to demonstrate this claim.
The token with the lowest price is AuraBal - $11.08.
11500792 10^18 / 956674679920805725551269 = 12.021633102 // I divide the total pool value by the number of BPT tokens.
1035081436163976241 1108 10^16 / 1e36 = 11.4687023127 // getRate() minPrice
The difference between the two obtained values is nearly 5%, indicating that significant deviations can occur using the employed methodology. While this example doesn't utilize the tokens from the README file, it demonstrates that any pool can reach a state where the applied methodology deviates significantly from the actual price.
Potentially incorrect prices returned by the Balancer feed, which could impact the operation of the RBS module. For instance, using the wrong price during a swap may lead to financial losses for the protocol.
ge6a
medium
Wrong methodology for stable BPT price calculation
Summary
The current methodology for determining the price of the BPT token in the Balancer Stable pool is inaccurate and may lead to significant deviations from the actual price.
Vulnerability Detail
Currently, to determine the price of the BPT token in the Balancer Stable pool, the current rate is multiplied by the lowest price among the prices of all assets in the pool. This approach resembles the methodology used by Curve, but Balancer pools are different, making this methodology incorrect for them. I will examine a real pool example to demonstrate this claim.
Pool name: Balancer auraBAL Stable Pool Pool symbol: B-auraBAL-STABLE Pool type: Stable Pool value: $11,500,792 Link: https://app.balancer.fi/#/ethereum/pool/0x3dd0843a028c86e0b760b1a76929d1c5ef93a2dd000200000000000000000249
Aura Bal : $11.08 Balancer 80 BAL 20 WETH : $11.26
getRate() : 1035081436163976241 totalSupply() : 956674679920805725551269
The token with the lowest price is AuraBal - $11.08.
11500792 10^18 / 956674679920805725551269 = 12.021633102 // I divide the total pool value by the number of BPT tokens. 1035081436163976241 1108 10^16 / 1e36 = 11.4687023127 // getRate() minPrice
The difference between the two obtained values is nearly 5%, indicating that significant deviations can occur using the employed methodology. While this example doesn't utilize the tokens from the README file, it demonstrates that any pool can reach a state where the applied methodology deviates significantly from the actual price.
This is a similar issue from different contest: https://solodit.xyz/issues/h-1-stable-bpt-valuation-is-incorrect-and-can-be-exploited-to-cause-protocol-insolvency-sherlock-none-blueberry-update-3-git
Impact
Potentially incorrect prices returned by the Balancer feed, which could impact the operation of the RBS module. For instance, using the wrong price during a swap may lead to financial losses for the protocol.
Code Snippet
https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/PRICE/submodules/feeds/BalancerPoolTokenPrice.sol#L451-L551
Tool used
Manual Review
Recommendation
Consider using a different methodology for calculating the price of the BPT token for Stable pools.
Duplicate of #176