CapitalPool's approve function can be called by anyone and therefore used to make calls to a malicious contract
Summary
A malicious user can execute calls to a malicious contract on behalf of the capitalPool using the "approve" function
Vulnerability Details
The approve function in the capitalPool contract allows anyone to make arbitrary calls to an external address using the approve selector:
The issue here is that the contract assumes that the tokenAddress passed will be an ERC20 token and it will call its approve function to allow token transfers to the tokenManager. However since the function can be called by anyone a malicious actor can take advantage of this and make a number of calls to external contracts in a way that can negatively impact the protocol. For example a call to a malicious contract with a custom defined approve function with some harmful logic:
Tools Used
Manual Review
Recommendation
Add the onlyOwner modifier to the capitalPool's approve function and remember to transfer ownership to the TokenManager to allow it call this function.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.