Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing access control mechanisms in `CapitalPool::approve`, allowing any user to call this function.

v1vah0us3

Description

The CapitalPool::approve function is designed to authorize the token manager to spend tokens on behalf of the CapitalPool contract by calling the approve method with unlimited allowance type(uint256).max. However, there is no restriction on who can call this function (due to its external visibility), so that any user can call it:

/**
* @dev Approve token for token manager
@> * @notice only can be called by token manager
* @param tokenAddr address of token
*/
@> function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();
}
}

Impact

Without proper access control, a malicious actor can call the CapitalPool::approve function to authorize the TokenManager to spend tokens from the CapitalPool contract. Although the address being approved (tokenManager) is not under the control of the attacker, the ability for anyone to trigger this approval undermines the intended access control and governance and could potentially lead to a series of further attacks, including unauthorized token transfers or possible draining of the CapitalPool. Thus the severity of this vulnerability can be rated as medium.

Tools used

manual review, vscode

Recommended Mitigation

Adding access control to CapitalToken::approve function is crucial to prevent unauthorized actions and ensure the security and integrity of the protocol. Consider making the following changes to the CapitalToken.sol contract:

+ modifier onlyTokenManager() {
require(msg.sender == tadleFactory.relatedContracts(RelatedContractLibraries.TOKEN_MANAGER), "Not the token manager");
_;
}
- function approve(address tokenAddr) external {
+ function approve(address tokenAddr) external onlyTokenManager {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();
}
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-CapitalPool-approve-missing-access-control

This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!