Missing access control in CapitalPool::approve
Summary
The access control is missing in the function approve.
Vulnerability Details
Due to the missing access control, anyone can call the function approve to give allowance of any token from CapitalPool to TokenManager.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/CapitalPool.sol#L24
This can be problematic if TokenManager is buggy, and giving allowance from CapitalPool to TokenManager provides more opportunity for the attacker leading to higher financial loss.
Impact
Missing access control.
Tools Used
Recommendations
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/CapitalPool.sol#L24
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.