Severity: Low
Files Affected
cadence/contracts/FlowALPv1.cdc
Description
When a user creates a new position, the Pool.createPosition() function injects a capability into the newly minted Position resource to allow it to communicate back with the pool. To achieve this, the function dynamically calls FlowALPv1.account.capabilities.storage.issue<auth(EPosition) &Pool>() for every single position. In Cadence, issuing a storage capability generates a persistent Capability Controller object within the issuing account's storage. Because a new capability is explicitly issued per position instead of reusing an existing one, the contract account will suffer from severe state bloat, permanently accumulating redundant Capability Controllers that all point to the exact same storage path.
Recommendation
Generate the auth(EPosition) &Pool capability exactly once during the pool's initialization (e.g., within PoolFactory.createPool()) and pass it into the Pool resource. The Pool should cache this capability in a dedicated internal state variable. During createPosition(), simply copy the cached capability struct into the new Position resource instead of issuing a new one.
Parent Issue: #209
Severity: Low
Files Affected
cadence/contracts/FlowALPv1.cdcDescription
When a user creates a new position, the Pool.createPosition() function injects a capability into the newly minted Position resource to allow it to communicate back with the pool. To achieve this, the function dynamically calls FlowALPv1.account.capabilities.storage.issue<auth(EPosition) &Pool>() for every single position. In Cadence, issuing a storage capability generates a persistent Capability Controller object within the issuing account's storage. Because a new capability is explicitly issued per position instead of reusing an existing one, the contract account will suffer from severe state bloat, permanently accumulating redundant Capability Controllers that all point to the exact same storage path.
Recommendation
Generate the auth(EPosition) &Pool capability exactly once during the pool's initialization (e.g., within PoolFactory.createPool()) and pass it into the Pool resource. The Pool should cache this capability in a dedicated internal state variable. During createPosition(), simply copy the cached capability struct into the new Position resource instead of issuing a new one.
Parent Issue: #209