Anyone can call approve function in capital pool due to lacking validation
Summary
Capital pool is as a vault in order to store the tokens in it. So, it needs to give approval to token manager contract in order to execute transfers. This approval function can be called by anyone due to missing validation.
Vulnerability Details
In @notice line, it indicates that this function can only be called by token manager but it doesn't validation the msg.sender is token manager.
Impact
Anyone can give approval for specific token
Tools Used
Manual Review
Recommendations
Checking msg.sender is token manager or not
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.