Lack of Access Control on approve Function
Summary
The approve function lacks access control, allowing anyone to call it and approve tokens to the TokenManager. This coil lead to unauthorised token approvals and potential fund drains.
Vulnerability Details
An attacker could call the approve function, and if they have control over the tokenManager, they could approve the maximum token amount to themselves and then transfer the tokens out.
Impact
Unauthorised approvals could lead to the draining of the contract's tokens. The potential loss is the full amount of tokens held by the contract at the time of the attack.
Tools Used
Manual review
CODE SNIPPET
Recommendations
Add access control to ensure that only authorised(e.g. the owner or admin) can call the approve function.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.