Strategy is not cap at strategy's cap

[code423n4]

Handle

jonah1005

Vulnerability details

Impact

There are no cap checks when depositing (through the vault earn) to the strategy.

Proof of Concept

This is the web3.py script:

print(controller.functions.getCap(vault.address, strategy.address).call())
print(strategy.functions.balanceOf().call())

The output log:

10000000000000000000000
98577584224142208730976

Tools Used

Hardhat

Recommended Mitigation Steps

Add a check in the controller.

[Haz077]

I think cap is meant only for depositing, not earn.

[GalloDaSballo]

Finding is not properly documented, will agree with sponsor