The approve()
function in the CapitalPool
contract lacks access control, allowing any user to call it. This function sets an unlimited token allowance for the TokenManager
on a specified token address, enabling unauthorized approvals. natspec of CapitalPool::approve()
function states that only can be called by token manager
, but that's not the case here since there's no Modifiers that check the msg.sender
address to match with TokenManager
contract address.
Unauthorized user can call the CapitalPool::approve()
function, which breaks the invariant where approve()
function can only be called as TokenManager
contract which is stated in natspec of the function.
Random User Comes and calls CapitalPool::approve()
function which Gives TokenManager
Contract Approval to Spend type(uint256).max
Amount.
the last Assertion checks TokenManager
Contract Allowance Amount and compares it to type(uint256).max
.
You can Run the Test with Following Command:
Take a Look at the Logs
:
Implement access control to restrict the approve()
function to authorized callers, such as the TokenManager
:
This ensures only the TokenManager
can call the approve()
function, preventing unauthorized access.
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.