[M-1] Missing access control in `CapitalPool::approve()` and missing approve(0)
Description:
As per the natspec of approve(), the function is only supposed to be called by token manager.
For reference of documentation:
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/CapitalPool.sol#L19-L24
However the function is missing any kind of access control and is defined as external hence it can be called by any EOA.
Moreover, some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether (USDT)'s approve() function will revert if the current approval is not zero, to protect against front-running changes of approvals.
Impact:
Any EOA can call the approve() in CapitalPool and set approval to type(uint256).max for TokenManager.
Tools Used
Manual review
Recommended Mitigation:
Add a check for message sender and either call approve(0) first or use Openzeppelin's SafeERC20::forceApprove()
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.