`approve` can be called by anyone
Summary
According to the Natspec, The CapitalPool::approve function is only meant to be called by token manager. However, this invariant does not hold, as the function is infact very much visible and could be called by anyone which leads to several impacts.
Description
The approve function is a delicate function similar to allowance which is meant to be called by the token manager. The function is used to approve the spending of a users token by the contract. However, the currently implementation is dangerous as it could be called by anyone. It also breaks the code logic because what was written on the natspec is different from what the function does.
POC
Impact
Break in logic
Mitigation
Add an access control to the function.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.