approve()::CapitalPool.sol is callable by anyone
Summary
approve()::CapitalPool.sol is callable by anyone, but if we refer to the comment of the function, it "can only be called by token manager".
Vulnerability Details
approve()::CapitalPool.sol is callable by anyone, even non token manager contract.
If we refer to the comment of the function, it should only be able to be called by token manager but there is in fact no restriction.
@notice only can be called by token manager
Below is approve()::CapitalPool.sol :
We can see that there is no check to only authorize token manager.
No modifier nor require(msg.sender == tokenManager, "Only token manager can call this function").
Impact
The function doesn't respect the rules defined by the devs, specified in comment. Since this function doesn't take in argument the amount of token to approve, it shouldn't be a problem concerning security, this is why this submission has been defined as Low.
Tools Used
Github, VisualCode.
Recommendations
If you still want to respect the directives in comment, then add :
in approve()::CapitalPool.sol.
Or just change the directives in comment and accept the fact that anyone can call this function.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.