The CapitalPool.sol
has an approve method which is intended to make an approve call to approve token manager of some tokens ( determined by token address passed as parameter ). The Function was supposed to be called only by token manager. However , there is no access control on this function .Which is in itself a great problem . Additionally it can lead to devastating effects such as attacker can pass any malicious contract address , and inside a function having same siganture as approve
, they can either let the CapitalPool approve the malicious contract of its tokens or just execute arbitrary logic that can affect Capital pool in longer term.
Inside CapitalPool.sol
, following is the approve method
The comment @notice only can be called by token manager
states there MUST be access control ensured , however it is not .
Additionally , if we take a look , the contract makes a call to user's passed tokenAddr
that has some function with the same selector as Approve.
Any Malicious attacker can craft a contract at token address tokenAddr
with a function that mathches the selector
(Same selector does not mean same implementation).
Call the contract and they can perform multiple devasting effects like inside their malicious contract at tokenAddr
, they can make some calls to contracts where the involvement of CapitalPool was needed . A creative attacker can exploit it to the fullest.
Anyone can call approve due to broken access control
Arbitrary token addresses can be called from capital pool due to call to user controlled param
Manual Review
Implement access control that only Token manager can call this method
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.