Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Broken Access control on CapitalPool approve method

0xreadyplayer1

Summary

The CapitalPool.solhas an approve method which is intended to make an approve call to approve token manager of some tokens ( determined by token address passed as parameter ). The Function was supposed to be called only by token manager. However , there is no access control on this function .Which is in itself a great problem . Additionally it can lead to devastating effects such as attacker can pass any malicious contract address , and inside a function having same siganture as approve, they can either let the CapitalPool approve the malicious contract of its tokens or just execute arbitrary logic that can affect Capital pool in longer term.

Vulnerability Details

Inside CapitalPool.sol, following is the approve method

/**
* @dev Approve token for token manager
* @notice only can be called by token manager
* @param tokenAddr address of token
*/
function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();
}
}

The comment @notice only can be called by token managerstates there MUST be access control ensured , however it is not .

Additionally , if we take a look , the contract makes a call to user's passed tokenAddr that has some function with the same selector as Approve.

(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);

Any Malicious attacker can craft a contract at token address tokenAddr with a function that mathches the selector

bytes4 private constant APPROVE_SELECTOR =
bytes4(keccak256(bytes("approve(address,uint256)")));

(Same selector does not mean same implementation).

Call the contract and they can perform multiple devasting effects like inside their malicious contract at tokenAddr, they can make some calls to contracts where the involvement of CapitalPool was needed . A creative attacker can exploit it to the fullest.

Impact

Anyone can call approve due to broken access control

Arbitrary token addresses can be called from capital pool due to call to user controlled param

Tools Used

Manual Review

Recommendations

Implement access control that only Token manager can call this method

require(tokenManager==msg.sender,'only Token Manager is allowed to approve')
Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-CapitalPool-approve-missing-access-control

This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.