Unauthorized access to `approve` function can lead to unauthorized token approvals (`CapitalPool::approve`)
Summary
Vulnerability Detail
The CapitalPool contract is designed to manage capital within the system, including the approval of token spending for the token manager. The approve() function is intended to allow the token manager to set unlimited allowance for specific tokens. However, the current implementation lacks access control, allowing any address to call this function and potentially compromise the system's token management.
The approve() function retrieves the token manager's address from the tadleFactory contract using the relatedContracts() method with the TOKEN_MANAGER identifier. It then calls the approve method on the specified token contract, setting the allowance to the maximum possible value (type(uint256).max) for the token manager.
The issue lies in the absence of access control for the approve() function. Despite the NatSpec comment stating
there is no implementation to enforce this restriction. As a result, any external actor can call this function and approve unlimited spending of any token for the token manager, potentially leading to unauthorized token movements and financial losses.
Impact
Any address can call the approve() function, leading to unauthorized token approvals. This could result in unauthorized parties gaining control over token allowances, potentially draining tokens from the contract or causing other unintended financial consequences.
Proof of Concept
An attacker identifies the
CapitalPoolcontract address.The attacker calls the
approve()function with the address of a valuable token contract (e.g., USDC, DAI, or any other ERC20 token).The function executes without any access control checks:
It retrieves the token manager's address from
tadleFactory.It calls the
approvefunction on the specified token contract, setting an unlimited allowance for the token manager.
The transaction succeeds, and now the token manager has an unlimited allowance for the specified token, potentially allowing unauthorized token movements.
Tools Used
Manual review
Recommendation
Implement proper access control to ensure that only the token manager can call the approve() function. This can be achieved by adding a modifier to check the caller's identity. Here's the recommended fix:
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.