The allowance check for the old and new token manager are not correctly validating the allowance.
The issue lies in the verification of allowances when the approve
function is called in the CapitalPool
contract. Specifically, when the token manager address changes, the contract might not correctly revoke or update the old allowances, leading to a scenario where both the old and new token managers have valid allowances to spend the same tokens.
If the old token manager's allowance is not correctly revoked, this could lead to unauthorized token transfers by the old manager. This could be exploited if the old token manager's address is compromised or malicious.
I have created a simple POC with CapitalPoolEdgeTest.t.sol and added mocktokenmanger in mocks and utilized MockERC20Token.
Output
Foundry
Consider implementing a more secure pattern where approvals are time-limited or require explicit revocation before new approvals are granted.
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.