Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing Access Controls in `CapitalPool::approve`

hlx

Summary

Missing Access Controls in CapitalPool::approve

Vulnerability Details

CapitalPool::approve shown in the code snippet below does not include any access control checks, meaning that anyone could call this function and approve tokens for the tokenManager:

function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L24-L39

However, the comment above the function indicates that only a token manager should be allowed to call this function:

* @notice only can be called by token manager

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L21

Impact

  1. Unauthorized Approval: Since anyone can call the approve function, any external address could grant unlimited token allowances to the tokenManager without the token owner's consent. This could lead to unauthorized spending of tokens on behalf of users or contracts. Malicious actors could drain tokens from the contract by using the tokenManager to transfer these tokens to themselves or other accounts.

  2. **Loss of Funds: **If the tokenManager is compromised or if its behavior is controlled by an attacker, they could exploit the lack of access control to siphon off large amounts of tokens. Users and the contract itself could lose significant funds, which can erode trust and cause financial damage to the stakeholders involved.

  3. Potential for Denial of Service (DoS): Malicious users could repeatedly call the function to set or reset allowances, potentially disrupting the normal operations of the tokenManager. This could cause interruptions in services that rely on the tokenManager, leading to operational inefficiencies.

Tools Used

Manual Review

Recommendations

  • **Use an onlyTokenManager Modifier: **Define a modifier that restricts access:

modifier onlyTokenManager() {
require(msg.sender == tokenManager, "Not authorized");
_;
}
function approve(address tokenAddr) external onlyTokenManager {
// Function logic
}

  • Check Caller Address: Directly within the function, the code could check if the caller is the token manager:

function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
require(msg.sender == tokenManager, "Not authorized");
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();
}
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-CapitalPool-approve-missing-access-control

This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!