Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

The `approve` function in the `CapitalPool` contract lacks proper access control

waydou

Summary

The approve function in the CapitalPool contract lacks proper access control, allowing any external address to execute the function. This vulnerability could enable an attacker to approve unlimited spending of ERC20 tokens held by the contract, potentially leading to significant financial losses.

Vulnerability Details

The approve function allows any external address to call it without any access control mechanisms such asonlyTokenManager. As a result, any address can instruct the CapitalPool contract to approve an unlimited amount of tokens for spending by the tokenManager contract (or any other contract, depending on the configuration). This can lead to unauthorized transfers of tokens out of the CapitalPool contract, resulting in the depletion of its token reserves.

function approve(address tokenAddr) external {

address tokenManager = tadleFactory.relatedContracts(

RelatedContractLibraries.TOKEN_MANAGER

);

(bool success, ) = tokenAddr.call(

abi.encodeWithSelector(

APPROVE_SELECTOR,

tokenManager,

type(uint256).max

)

);

if (!success) {

revert ApproveFailed();

}

Impact

An attacker can call the approve function with an arbitrary token address, granting the tokenManager (or another contract) unlimited spending power over the specified tokens in the CapitalPool. This could allow the attacker to transfer all of those tokens to their own address, leading to substantial financial losses.

Tools Used

Manual review

Recommendations

Restrict access to the approve function by adding an onlyOwner, onlyTokenManager, or similar modifier to ensure only authorized entities can execute it.

function approve(address tokenAddr) external onlyTokenManager {

// ... existing code

}

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-CapitalPool-approve-missing-access-control

This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.