[H-4] Missing Access Control in `approve` Function Allowing Unauthorized Token Approvals
File: CapitalPool.sol
Descritption:
The approve function is intended to approve a token for the TokenManager, which is a critical operation. However, the function currently lacks access control, allowing any user to call it and approve tokens. This could result in unauthorized token approvals, potentially leading to the mismanagement of tokens and security vulnerabilities within the platform as platform is dealing with prelaunch tokens.
Tools Used:
Mannually review
Recommendation:
Implement access control in the approve function to ensure that only authorized entities, such as the TokenManager or protocol admin/owner, can execute the function. This will prevent unauthorized users from approving tokens, thereby securing the platform against potential misuse or exploits.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.