From 4fabd692cfc2cada1284d5888031ab3ece54cf48 Mon Sep 17 00:00:00 2001
From: liobrasil <limol.lionel@gmail.com>
Date: Mon, 12 Jan 2026 21:46:07 -0400
Subject: [PATCH] Validate beta and clean up grants

---
 cadence/contracts/FlowYieldVaults.cdc           |  4 ++++
 cadence/contracts/FlowYieldVaultsClosedBeta.cdc | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/cadence/contracts/FlowYieldVaults.cdc b/cadence/contracts/FlowYieldVaults.cdc
index cb20b19..3c4a085 100644
--- a/cadence/contracts/FlowYieldVaults.cdc
+++ b/cadence/contracts/FlowYieldVaults.cdc
@@ -438,6 +438,10 @@ access(all) contract FlowYieldVaults {
     }
     /// Creates a YieldVaultManager used to create and manage YieldVaults
     access(all) fun createYieldVaultManager(betaRef: auth(FlowYieldVaultsClosedBeta.Beta) &FlowYieldVaultsClosedBeta.BetaBadge): @ YieldVaultManager {
+        pre {
+            FlowYieldVaultsClosedBeta.validateBeta(betaRef.getOwner(), betaRef):
+            "Invalid Beta Ref"
+        }
         return <-create YieldVaultManager()
     }
     /// Creates a StrategyFactory resource
diff --git a/cadence/contracts/FlowYieldVaultsClosedBeta.cdc b/cadence/contracts/FlowYieldVaultsClosedBeta.cdc
index e544d3f..41f708b 100644
--- a/cadence/contracts/FlowYieldVaultsClosedBeta.cdc
+++ b/cadence/contracts/FlowYieldVaultsClosedBeta.cdc
@@ -69,6 +69,16 @@ access(all) contract FlowYieldVaultsClosedBeta {
         return cap
     }
 
+    /// Clean up any previously issued controller before issuing a fresh capability.
+    access(contract) fun _cleanupExistingGrant(_ addr: Address) {
+        if let info = self.issuedCapIDs[addr] {
+            if let ctrl = self.account.capabilities.storage.getController(byCapabilityID: info.capID) {
+                ctrl.delete()
+                emit BetaRevoked(addr: addr, capID: info.capID)
+            }
+        }
+    }
+
     /// Delete the recorded controller, revoking *all copies* of the capability
     access(contract) fun _revokeByAddress(_ addr: Address) {
         let info = self.issuedCapIDs[addr] ?? panic("No cap recorded for address")
@@ -83,6 +93,7 @@ access(all) contract FlowYieldVaultsClosedBeta {
     // 2) A small in-account helper resource that performs privileged ops
     access(all) resource AdminHandle {
         access(Admin) fun grantBeta(addr: Address): Capability<auth(FlowYieldVaultsClosedBeta.Beta) &FlowYieldVaultsClosedBeta.BetaBadge> {
+            FlowYieldVaultsClosedBeta._cleanupExistingGrant(addr)
             FlowYieldVaultsClosedBeta._ensureBadge(addr)
             return FlowYieldVaultsClosedBeta._issueBadgeCap(addr)
         }