Tadle

Summary

The lack of access control in CapitalPool's approve function allows unauthorized actors to approve unlimited token spending on behalf of the contract. This flaw exposes the contract to potential misuse and enabling malicious actors to approve arbitrary tokens for spending by the TokenManager without restriction.This is despite its documentation explicitly stating it should only be callable by the token manager.

Vulnerability Details

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L24
The approve function is intended to grant the TokenManager unlimited approval for a specified token. However, the function lacks access control contrary to the documentation which states that it should only be callable by the TokenManager. The absence of an access control modifier allows any external address to call this function enabling unauthorized approvals for token spending.

Impact

This function allows any caller to trigger the approve process for any token contrary to what documentation states. As a result even malicious tokens or any token held by contract can be approved.
If the TokenManager interacts with malicious contracts that have been approved by this function, it could lead to broader issues within the ecosystem

Tools Used

Manual Review

Recommendations

Add a modifier to restrict access to the approve function, ensuring only the TokenManager can call it.