Tadle

Tadle
DeFiFoundry
27,750 USDC
View results
Submission Details
Severity: low
Valid

`CapitalPool.approve()` is permissionless contrary to the NatSpec

Summary

CapitalPool.approve() does not adhere to NatSpec and can be called by anyone, not just TokenManager. As a result, a malicious actor could provide any address as the tokenAddr parameter and make calls to arbitrary contracts.

Vulnerability Details

Permissionless CapitalPool.approve() function and the NatSpec;

/**
* @dev Approve token for token manager
* @notice only can be called by token manager
* @param tokenAddr address of token
*/
function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();
}
}

Impact

A malicious actor could provide any address as the tokenAddr parameter and make calls to arbitrary contracts. This can be especially problematic with other protocols that use tx.origin.

Tools Used

Foundry

Recommendations

Add a modifier so that only TokenManager and/or Owner can call CapitalPool.approve().

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-CapitalPool-approve-missing-access-control

This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.