Tadle

Summary

The CapitalPool contract utilizes the low-level call function to invoke the approve function of external token contracts. While this provides flexibility, it also introduces the risk of unexpected behavior if the targeted token contract has vulnerabilities or deviates from the standard ERC-20 implementation.

Vulnerability Details

The approve function within CapitalPool constructs the calldata for the ERC-20 approve function and then uses call to execute it on the tokenAddr. However, call does not enforce type safety or adherence to the ERC-20 standard. If the contract at tokenAddr is not a standard ERC-20 token or has malicious code, it could:

• Revert with a misleading error: The called contract might revert with an error that doesn't accurately reflect the failure, making debugging and error handling difficult.

• Execute arbitrary code: A malicious contract could use the call as an entry point to execute unintended actions within the CapitalPool contract or even other contracts it interacts with.

• Return incorrect values: The called contract might return unexpected values, leading to incorrect accounting or state changes within the CapitalPool.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/CapitalPool.sol#L28-L34

Impact

If a malicious token contract is approved, it could drain the CapitalPool's funds or manipulate its state.

Tools Used

manual review

Recommendations

Use Interface or Safe Transfer Library