Lack of access control in `approve(...)` function in `CapitalPool.sol`
Summary
The approve(...) function in CapitalPool.sol does not have access control, allowing anyone to call it and passing arrbitrary unsafe token address as an argument. Hence, the CapitalPool contract calls potentially malicious code in the approve(...) function of the token contract.
Vulnerability Details
The approve(...) function in the CapitalPool.sol contract is missing access control mechanisms. This absence of access control allows any user, including potentially malicious actors, to invoke the approve(...) function.
Impact
Since there are no restrictions on who can call the approve(...) function, anyone can pass any token contract address (tokenAddr) to this function. The function will proceed to call the approve method on the provided token contract address, regardless of whether the token is safe, known, or malicious.
Tools Used
Manual code review
Recommendations
Add access control to the approve(...) function in the CapitalPool.sol contract to restrict who can call it.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.