Anyone can call the approve function, due to a missing validation
Description:
Approve function is an erc20 critical function which allow funds to be withdrawed from a pool , now the protocol left this critical approve function without any validation on who can call the function making anyone able to approve for them self,
Impact:
if anyone can approve for funds to be withdrawed from a pool this is same thing as giving anyone access to say when money can be withdraw from the protocol or not which the protocol only should have the access to decide when funds should be allowed to be withdrawed
Proof of Concept:
this is the approve function below without any kind of validation on who can call it
Recommended Mitigation:
Include this check in the approve function
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.