approve() in CapitalPool can be called by anyone
Summary
approve() in CapitalPool can be called by anyone.
Vulnerability Details
Accoding to the NatSpec of approve() in CapitalPool contract, this function is only supposed to be called by TokenManager.
@notice only can be called by token manager
However, there is no access control to this function and it can be called by anyone, this is obviously not intended.
Impact
approve() can be called by anyone.
Tools Used
Manual Review
Recommendations
Add access control to approve() so it can only be called by TokenManager.
Then approve() must be called in withdraw():
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.