`cap` isn't enforced

[code423n4]

Handle

0xsanson

Vulnerability details

Impact

When adding a strategy in Controller.sol, a variable cap is passed to _vaultDetails[_vault].caps[_strategy]. I guess this is the maximum balance allowed for this strategy, but this is actually never used in the current implementation.

Tools Used

editor

Recommended Mitigation Steps

Check if this is a wanted feature of the protocol, and (if positive) add some checks to enforce it.

[Haz077]

I also don't see where is cap used.

[uN2RVw5q]

I also don't see where cap is being used. If it's supposed to represent the maximum a vault can hold, it's not very obvious how to enforce it on chain.

[transferAndCall]

Caps aren't enforced in code. Since users can't deposit directly to strategies, it's up to the strategist to manage caps of strategies. We could likely refactor to remove caps altogether and save some gas.

[GalloDaSballo]

Finding acknowledge, may want to remove / refactor that functionality