Insecure Access Control in approve Function of CapitalPool Contract
Vulnerability Details
The approve function in the CapitalPool contract is designed to allow the tokenManager to approve itself for spending tokens from the CapitalPool. However, the current implementation lacks proper access control checks, which could allow unauthorized addresses to call the approve function. This can lead to unintended consequences, such as unauthorized approvals and potential misuse of tokens held by the CapitalPool.
Impact
The lack of proper access control in the approve function could allow any external caller to execute the function. This would enable unauthorized approvals, potentially leading to significant financial loss if tokens are drained or misappropriated by malicious actors.
Proof of Concept
An attacker can simply call the approve function using any arbitrary address, bypassing the intended restriction that only the tokenManager should be able to call this function:
Tools Used
Manual review
Recommendations
To fix this issue, the approve function should include an access control modifier (e.g., onlyTokenManager) that restricts its execution to the tokenManager only. Here’s an updated implementation:
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.