Improper Authorization
| Property | |
|---|---|
| Language | solidity |
| Severity |  |
| CWE | CWE-285: Improper Authorization |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The contract calls erc20.transferFrom with a user-supplied ‘from’ address instead of restricting it to msg.sender. This allows anyone to transfer tokens from any address that has approved the contract, not just their own.
Impact#
An attacker could transfer tokens from other users’ accounts without their consent, as long as those users have approved the contract. This can lead to unauthorized token theft and significant financial losses for users.