CapitalPool.approve()
does not adhere to NatSpec and can be called by anyone, not just TokenManager. As a result, a malicious actor could provide any address as the tokenAddr parameter and make calls to arbitrary contracts.
Permissionless CapitalPool.approve()
function and the NatSpec;
A malicious actor could provide any address as the tokenAddr parameter and make calls to arbitrary contracts. This can be especially problematic with other protocols that use tx.origin
.
Foundry
Add a modifier so that only TokenManager and/or Owner can call CapitalPool.approve()
.
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.