Missing access control modifier in `approve` function of `CapitalPool.sol` , anyone can approve tokens
Vulnerability Details
As per the comments of the approvefunction
We can see that it is only supposed to be called by token manager, but the function doesn't have any access control modifier to make sure it can only be called by the token manager.
Link to code: https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L19-L39
Impact
Anyone can call the function and approve tokens, which is undesired
Tools Used
Manual review
Recommendations
Use access control modifier. For example:
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.