CapitalPool.sol :: approve() can be called by anyone, not just by TokenManager.
Summary
approve() is used to allow the TokenManager to spend tokens on behalf of CapitalPool. However, despite the @notice stating that it can only be called by TokenManager, it can actually be called by anyone since it is an external function.
Vulnerability Details
approve() is implemented as follows.
The @notice states that the function only can be called by token manager, but the function is external and doesn't include any checks to ensure that the caller is indeed the TokenManager. This means that anyone can invoke the function with any arbitrary ERC20 token and implement a custom approve(), potentially leading to unexpected behaviors.
Impact
Anyone can call approve(), which is not the intended functionality of the function. This allows for the use a custom approve() function to perform arbitrary actions, potentially leading to unexpected behaviors.
Tools Used
Manual review.
Recommendations
Ensure that msg.sender is the TokenManager contract.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.