`Controller.inCaseStrategyGetStuck` does not update balance

[code423n4]

Handle

cmichel

Vulnerability details

The Controller.inCaseStrategyGetStuck withdraws from a strategy but does not call updateBalance(_vault, _strategy) afterwards.

Impact

The _vaultDetails[_vault].balances[_strategy] variable does not correctly track the actual strategy balance anymore. I'm not sure what exactly this field is used for besides getting the withdraw amounts per strategy in getBestStrategyWithdraw. As the strategy contains a lower amount than stored in the field, Controller.withdraw will attempt to withdraw too much.

Recommended Mitigation Steps

Call updateBalance(_vault, _strategy) in inCaseStrategyGetStuck.

[GalloDaSballo]

Agree with finding, I also believe inCaseStrategyGetStuck and inCaseTokenGetStuck are vectors for admin rugging, may want to add checks to ensure only non strategy token can be withdrawn from the vaults and strats