Tadle

Tadle
DeFi
30,000 USDC
View results
Submission Details
Severity: low
Valid

No access control in CapitalPool.approve()

Summary

No access control in CapitalPool.approve()

Vulnerability Details

The natspec says that only the tokenManager can call the function.

/**
* @dev Approve token for token manager
* @notice only can be called by token manager
* @param tokenAddr address of token
*/
function approve(address tokenAddr) external {

However there is no check on msg.sender. As a result, anyone can call the approve()function.

Impact

Anyone can pass in any tokenAddr and have it provide max approval to the tokenManager

Tools Used

Manual Review

Recommendations

Assert that msg.sender is the tokenManager

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-CapitalPool-approve-missing-access-control

This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.