Infinite allowance when owner is spending (MultiToken)

[jubeira]

Description

Since we're using the router as intermediary for BPT exits, the vault burns BPT from the router, spending allowance in the process. But in this case, the router is also the owner when the call is made, so it should already be able to spend without explicit approval. A transferFrom where owner == spender is actually a regular transfer (and burn is equivalent to transferFrom in this aspect).

Type of change

• [ ] Bug fix
• [x] New feature
• [ ] Breaking change
• [ ] Dependency changes
• [ ] Code refactor / cleanup
• [ ] Documentation or wording changes
• [ ] Other

Checklist:

• [x] The diff is legible and has no extraneous changes
• [x] Complex code has been commented, including external interfaces
• [x] Tests have 100% code coverage
• [x] The base branch is either main, or there's a description of how to merge

Issue Resolution

N/A

[openzeppelin-code[bot]]

Infinite allowance when owner is spending (MultiToken)

Generated at commit: e28fed149f4b53b1c2b1da90276139b014fec115

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	2 2 0 11 37 52
Dependencies	Critical High Medium Low Note Total	0 0 0 0 0 0

---

For more details view the full report in OpenZeppelin Code Inspector