Anyone can approve tokens on the capital pool
Summary
The capital pool has a method "approve", which gives permission for the TokenManager to spend a token held by it.
The documentation says it can only be called by the Token Manager, but anyone can call the function.
Vulnerability Details
Anyone can call capitalPool.approve(randomToken). It does not put user funds at risk now, but might in future upgrades.
Impact
No funds are at risk because although it's a free approval, it only approves a trusted spender. Because it seems to go against the documentation and the protocol rules, I am reporting it as LOW.
Tools Used
Forge.
Recommendations
Add the onlyRelatedContracts modifier to the approve function, with TokenManager as the allowed contract.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.