Arbitrary code can be run with CapitalPool as msg.sender
Summary
Function approve(address) can be called by anyone with arbitrary tokenAddr argument.
Vulnerability Details
There is no restricted access implemented on the approve(address) function on the CapitolPool contract.
Impact
Arbitrary token approved to TokenManager OR arbitrary code execution with CapitalPool contract as the msg.sender as long as approve(address, amount) interface is implemented on the provided tokenAddr contract.
Tools Used
manual review
Recommendations
Restrict function call to TokenManager.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.