Missing access control in `CapitalPool.approve`
Summary
Missing access control in CapitalPool.approve
Vulnerability Details
The approve function allow the CapitalPool to approve the TokenManager contract to spend an unlimited amount (uint256.max) of a specific ERC20 token.
The vulnerability here is that the function currently lacks access control, meaning anyone can call this function and potentially set the approval for any ERC20 token, which can be a significant security risk.
We can see also we have this NatSpec comment:
only can be called by token manager
But there is no such restriction.
Impact
Without access control, anyone can call the approve function. This means that a malicious actor could invoke this function to set an approval for the TokenManager to spend the CapitalPool's tokens without proper authorization.
This means he could approve the TokenManager to spend an unlimited amount of tokens from any ERC20 token that the CapitalPool holds. This would allow the attacker to drain the CapitalPool of its tokens, leading to significant financial loss.
Tools Used
Visual Studio Code
Recommendations
Add access control in CapitalPool.approve() function.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.