LP token balanceOf used for pricing

A oracle & external dependencies factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor checks whether the protocol derives pricing from the `balanceOf` of LP tokens held in a contract — a pattern that is manipulable by direct token transfer ("donation") without going through the protocol's normal deposit path. Source inspection identifies whether price calculations depend on `balanceOf` rather than internal accounting state.

**Why it matters** Using `balanceOf` for pricing creates a donation-manipulable oracle: any attacker who can transfer tokens directly to the contract (bypassing `deposit()`) can artificially inflate the apparent value of LP shares. The Cashio hack ($48M, 2022) is the definitive case: the CASH stablecoin's LP token collateral validation never checked the `.mint` field of the SPL token, allowing an attacker to create fake collateral. bEarnFi ($18M, 2021) suffered a multi-layer vault accounting failure where token denomination consistency was broken by a similar balance-manipulation path. ERC-4626 share-inflation attacks (Silo Finance variant) use an analogous mechanism. Protocols that use `balanceOf` for pricing without canonical reserve tracking are structurally vulnerable.

**Green / Yellow / Red** Green is scored when pricing is derived from internal accounting state (tracked reserves, virtual shares) rather than live `balanceOf` calls. Yellow is scored when `balanceOf` is used but mediated through a time-delayed or TWAP-based calculation that reduces instant manipulation risk. Red is scored when the protocol derives collateral or exchange-rate pricing directly from `balanceOf` of an LP or vault token with no additional protection.

**Common gray cases** Gray is applied when the pricing mechanism is implemented in an upgradeable module and the current deployed logic cannot be confirmed through source inspection alone.

**Notable historical examples** - **Cashio** ($48M, 2022): LP token collateral validation relied on balance fields; the `.mint` field was never validated, enabling fake collateral creation. - **bEarnFi** ($18M, 2021): Multi-layer vault strategy used cross-token balance accounting that was manipulated via token denomination mismatch.

Measurement what to look for #

Determine whether protocol pricing is derived from the `balanceOf` of LP tokens in a contract (manipulable by direct token transfer / donation).

Data & output #

Data source

Source inspection for `balanceOf` calls in price calculation paths on Etherscan-verified source

Output format

Green / Yellow / Red

Evidence artifact

Source excerpt of price calculation function + any `balanceOf` call in that path

Confidence signal

green = `balanceOf` not used in price path; red = `balanceOf` used in price path without donation protection; gray = source unverified

Scored protocols 80 carry this factor #

Protocol RD-F-061

Linked hacks 2 historical incidents #

causalCashio — Infinite mint via incomplete collateral validation — fake account chain bypasses all verification2022-03-23 · $48M · Infinite mint via incomplete collateral validation — fake account chain bypasses all verification · Protocol trusts LP token balanceOf for pricing — donation-manipulable [via cross-hack: Factor 12: LP Token Collateral With Incomplete Field Validation]

causalbEarnFi (BvaultsBank) — Logic bug — token denomination mismatch between vault and strategy layers2021-05-16 · $18M · Logic bug — token denomination mismatch between vault and strategy layers · Protocol trusts LP token balanceOf for pricing [via cross-hack: Factor 11: Multi-Layer Vault/Strategy Architecture With Cross-Token Accounting]

rubric_version v1.7.0 factor RD-F-061 category 3 carried 80 critical no