Lack of access control in CapitalPool approve
Summary
There is no access control in CapitalPool::approve function thus allowing anyone to call it while the notice clearly says it should only be called by the token manager.
Vulnerability Details
The notice @notice only can be called by token manager is misleading says the only allowed caller is token manager but any one call the function (no access control). Thus there is contradiction between notice and code implementation as seen below.
Impact
Anyone can approve the tokenManager to spend tokens for any arbitrary token.
Tools Used
Manual review
Recommendations
If the desired behavior is for the function to be called by anyone then remove the notice
@notice only can be called by token managersince it is misleading.Otherwise, Within the approve function, add access control for example
require(msg.sender == tokenManager, "unauthorized")or a better option would be if statement using a Custom Error.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.