Missing access control leads to unlimited approvals
Summary
The approve function is marked as external, which means it can be called by any external account or contract. However, the comment suggests that it should "only be called by token manager". There's no check to ensure that the caller is actually the token manager.
Without proper access control, any external actor could call this function and approve the token manager to spend an unlimited amount (type(uint256).max) of any token at the tokenAddr address on behalf of the CapitalPool contract.
Code
Impact
Theft of funds:
An attacker could approve a malicious address to spend all of the contract's tokens, potentially draining the entire balance of any ERC20 token held by the CapitalPool contract.
Mitigation
Add an access control modifier to ensure only the token manager can call this function.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.