[L-1] Anyone can call `CapitalPool::approve` function and given
Relevant Links
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/CapitalPool.sol#L19-L39
Summary
The natspec for CapitalPool::approve function says:
@notice only can be called by token manager
However, there are no access control checks for the same.
Vulnerability Details
As it can be seen anyone can approve tokens on behal
Impact
Likelihood: High
Impact: Low - Max approval for transfer of any token from the CapitalPool can be given to the TokenManager.
Overall severity is low.
Tools Used
Manual Review
Recommendations
Check if the msg.sender is TokenManager
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.