Anyone can call CapitalPool:approve function and cause reentrancy.
Summary
In functions documentation it is mentioned that function CapitalPool:approve could only be called by token manager but it doesn't check for it.
Vulnerability Details
As there is no check for the caller address and token address any user can call this function and pass any token's address which may lead to a bad approve function that may lead to reentrancy.
Impact
Medium
Tools Used
manual review
Recommendations
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.