CapitalPool::approve can be called by anyone.
Details
The docstring for the approve function in the CapitalPool contract incorrectly states that the function can only be called by the Token Manager. However, in reality, the function is callable by anyone.
PoC
demonstrate that the approve function can be called by a "NON TOKEN MANAGER" user (user1). The test is added to the end of PreMarkets.t.sol.
It verifies that user1 is not the Token Manager using the assume cheat code and then attempts to call the approve function. The expected behavior is that the function call reverts, but the test fails, indicating that the function call succeeds without reverting.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.