Missing authorization check in approve function, allows unauthorized access inside CapitalPool
Summary
The approve function, inside CapitalPool lacks a validation check to ensure that only the token manager can call it.
Vulnerability Details
In the approve function of the CapitalPool.sol contract, there is a missing require statement to verify that the caller is the designated token manager. Without this check, any address could potentially call the approve function, leading to unauthorized token approvals and possible security risks.
Impact
This missing check allows any address to invoke the approve function, which could result in tokens being approved for unintended addresses, thereby compromising the security of the contract.
Tools Used
Imagination
Recommendations
Add a require statement to ensure that only the token manager can call the approve function, preventing unauthorized access and securing token approvals:
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.