Anyone can trigger approval of token for token manager
Summary
There is no access control on CapitalPool::approve hence anyone is able to call the method and attempting to approve a token.
Commit Hash: 04fd8634701697184a3f3a5558b41c109866e5f8
Repository URL: https://github.com/Cyfrin/2024-08-tadle/tree/main
Vulnerability Details
The CapitalPool::approve function's natspec specifies that the method can only be called by token manager, however, this is not enforced in any way. Any malicious actor will be able to call the function and attempting an approval of the tokenAddr
Impact
Any malicious actor will be able to call the CapitalPool::approve function, resulting in the owner, the CapitalPool contract, approving tokenManager and granting it "infinite approval", as per the documentation of ERC20.
Tools Used
Manual Code Review: Analyzing the contract code directly.
Recommendations
Add access control to the function, either through the use of a modifier in the function definition, or an explicit check in the beginning of the
CapitalPool::approvefunction
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.