### [H-1] Unrestricted Access to Critical Approve Function
[H-1] Unrestricted Access to Critical Approve Function
Description
The approve function, which grants permission for funds to be able to be withdrawn from capitalPool, lacks proper access controls. This critical function can be called by any user, allowing them to approve and potentially withdraw funds without authorization.
Impact
An unautorized
approveof erc20 in capital pool can lead to many things including users potentially withdraw funds without authorization, this function is meant to be called only by the tokenManager.
Proof of Concept
The following approve function lacks any validation on the caller's identity:
Recommended Mitigation
Implement access control mechanisms to restrict who can call the
approvefunction., make only TokenManager to be the caller
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.