The approve function in the CapitalPool is not protected
Summary
The approve function in the CapitalPool contract is unprotected and can be called by anyone, but this function should call only by the TokenManager contract.
Vulnerability Details
The approve function in the CapitalPool contract is suppose to be called only by the TokenManager contract, to approve the transfer from the capital pool to the token manager of the USDC, WETH the capital pool save, but this function is unprotected, so it can be called by anyone with any token they want.
Impact
anyone can call the approve function in the CapitalPool contract, but this function should be only called by the TokenManager.
Tools Used
Manual Review
Recommendations
Add a modifier to the approve function to only allow the function to be called by the TokenManager.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.