Lack of Access Control in `CapitalPool::approve` Function
Summary
The CapitalPool::approve function lacks proper access control, allowing any address to call it instead of restricting access to the TokenManager contract only.
Vulnerability Details
The approve function in the CapitalPool contract does not implement any access control checks. This allows any external actor to call the function and potentially approve spending of the CapitalPool's tokens.
Impact
Unauthorized approvals of CapitalPool's tokens.
Potential loss of funds if combined with other vulnerabilities.
Violation of the principle of least privilege.
Tools Used
Foundry
Recommendations
Implement access control to restrict the approve function to the TokenManager only:
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.