Anyone Can Arbitrarily Call CapitalPool.aprove( ) function
Summary
The approve function in the CapitalPool contract is intended to be called only by the token manager to approve tokens for use. However, the function lacks any access control, allowing any external address to call it. This oversight creates a severe security vulnerability with potentially devastating consequences
Vulnerability Details
The natspec comment clearly indicates that this function should only be callable by the token manager. However, the external visibility without any access control allows any address to call this function.
Although the contract derives the token manager address correctly using tadleFactory.relatedContracts(RelatedContractLibraries.TOKEN_MANAGER), However, this doesn't mitigate the main issue of unrestricted access to the approve function.
Impact
loss of user funds.
Tools Used
Manual review
Recommendations
Use a modifier to restrict access and ensure that only TokenManager contract can call the approve function
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.