Missing Access Control on CapitalPool's `approve` Function
Summary
The access control for CapitalPool's approve function is not consistent with the comment.
Vulnerability Details
The approve function in the CapitalPool contract lacks proper access control. While the function comment indicates that it "only can be called by token manager", there is no implementation to enforce this restriction. This allows any external account to call the function, potentially leading to unauthorized token approvals.
Impact
Unexpected token approval for tokenManager, which can be dangerous when tokenManager contract is compromised.
Tools Used
Manual
Recommendations
Implement proper access control for the approve function based on design.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.