The `approve` function does not check whether the token address `tokenAddr` is valid or not.
Summary
The CapitalPool contract does not perform any validation to ensure that the provided token address (tokenAddr) is a valid token contract. This could lead to unintended approvals for malicious or invalid addresses, posing a significant risk of asset loss.
Vulnerability Details
In the approve function, the CapitalPool contract directly calls the approve function of the token contract at the tokenAddr address without verifying if this address is a valid token contract. This means that any address, including non-token contract addresses or malicious contracts, could be approved to spend tokens from the CapitalPool.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/CapitalPool.sol#L24-L39
Impact
If multiple invalid token contracts are approved, it could lead to integrity and stability issues for the entire system.
Tools Used
manual review
Recommendations
Implement a check to verify if tokenAddr is a valid token contract before calling the approve function.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.