Lack access control in contract CapitalPool::approve
Summary
it was observed that the approve function in contract CapitalPool lacks proper access control. Although the function's comment indicates that it should only be called by the token manager, there is no implementation of this restriction in the code.
Vulnerability Details
The approve function is intended to be called only by the token manager, as indicated by the comment. However, the function does not implement any access control mechanisms to enforce this restriction.
Impact
Unauthorized Access: Any external account can call the approve function, potentially allowing them to approve tokens for unauthorized use.
Security Risks: Without restricting the function to the token manager, the contract is vulnerable to unauthorized actions that could lead to token mismanagement and potential loss of funds.
Tools Used
Manual Review
Recommendations
Ensure that the approve function can only be called by the token manager by adding a require statement to check the caller's address.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.