Anyone can approve any token for token manager
Summary
In CapitalPool.sol the function approve() is used for approving tokens for the token manager. In the devtext we can see the following message:
However, this is not enforced by modifier and is not checked in the implementation of the function. This means that anyone can call the function by passing a token address and approve the tokenManager for the tokn.
PoC
Use the following test case. The test passes, meaning the user approves the token manager for unlimitted wet9 transfers.
Tools Used
Manual review
Recommendations
Add a check if msg.sender is token manager and if not revert.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.