No access control in CapitalPool.approve()
The natspec says that only the tokenManager can call the function.
However there is no check on msg.sender
. As a result, anyone can call the approve()
function.
Anyone can pass in any tokenAddr
and have it provide max approval to the tokenManager
Manual Review
Assert that msg.sender
is the tokenManager
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.