Anyone can call the CapitalPool::approve()
function for authorization.
The CapitalPool::approve()
function comment states that it can only be called by the token manager
, but in reality, anyone can call this function to perform authorization.
Anyone can call the CapitalPool::approve()
function for authorization.
Manual Review
Add appropriate permission control to the CapitalPool::approve()
function.
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.