Tadle
Tadle
DeFi
30,000 USDC
Ended
View results
Previous Next
Submission Details
Severity: low
Valid

Lack of Access Control in `approve` Function Allows Unauthorized Token Approvals

pelz

Summary

The approve function in CapitalPool.sol lacks access control, allowing any user to call it and approve tokens. This contradicts the function's comment, which states that it should only be callable by the token manager. This vulnerability can lead to unauthorized approvals and potential misuse of tokens.

Vulnerability Details

Location: CapitalPool.sol::approve

Description:

The approve function is intended to be called only by the token manager to approve tokens. However, the function does not enforce any access control, enabling any user to call it and approve tokens for the token manager.

Proof of Concept

/**
* @dev Approve token for token manager
* @notice only can be called by token manager
* @param tokenAddr address of token
*/
// @audit anyone can call approve
function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(RelatedContractLibraries.TOKEN_MANAGER);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);

if (!success) {
revert ApproveFailed();
}
}

Root Cause:

The function lacks access control mechanisms to restrict its execution to the token manager. As a result, any user can call this function and approve tokens, potentially leading to unauthorized token transfers and other malicious activities.

Impact

This vulnerability allows any user to call the approve function and approve tokens for the token manager. This can lead to unauthorized token approvals, resulting in potential loss or misuse of tokens.

Tools Used

  • Manual code review

Recommendations

  1. Implement Access Control: Add access control to the approve function to ensure that only the token manager can call it.

Updates

Community Judging Commences

Community Judging Judge
7 months ago
Community Judgement Published
83.3% Invalid

Lead Judging Commences

0xnevi Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-CapitalPool-approve-missing-access-control

This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.

Support

FAQs

Can’t find an answer? Join our Discord or follow us on Twitter.

Cyfrin
Updraft
CodeHawks
Solodit
Resources