In the current implementation, totalSupply is used instead of getActualSupply for the calculation of supply and weighted pool token prices. This can cause incorrect computation for newer pools.
Impact
Incorrect weighted pool token prices and incorrect supply calculation for newer pools.
hash
high
usage of totalSupply for newer balancer pools should be replaced with getActualSupply
Summary
totalSupply is used to obtain the supply for all pools which should be replaced with getActualSupply for newer ones
Vulnerability Detail
Balancer pools have different methods to get their total supply of minted LP tokens, which is also specified in the docs here https://docs.balancer.fi/concepts/advanced/valuing-bpt/valuing-bpt.html#getting-bpt-supply . The docs specifies that getActualSupply is used by the most recent versions of Weighted and Stable Pools. It accounts for pre-minted BPT as well as due protocol fees. To give you few examples of newer weighted pools that uses getActualSupply https://etherscan.io/address/0x9f9d900462492d4c21e9523ca95a7cd86142f298 https://etherscan.io/address/0x3ff3a210e57cfe679d9ad1e9ba6453a716c56a2e https://etherscan.io/address/0xcf7b51ce5755513d4be016b0e28d6edeffa1d52a
In the current implementation,
totalSupplyis used instead ofgetActualSupplyfor the calculation of supply and weighted pool token prices. This can cause incorrect computation for newer pools.Impact
Incorrect weighted pool token prices and incorrect supply calculation for newer pools.
Code Snippet
in price https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/PRICE/submodules/feeds/BalancerPoolTokenPrice.sol#L402
in supply https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/SPPLY/submodules/AuraBalancerSupply.sol#L345
Tool used
Manual Review
Recommendation
If
getActualSupplyfunction exists on the contract, invoke it to obtain the supply.Duplicate of #155