NestedFactory._decreaseHoldingAmount needs explicit amount control for spending reserve

[code423n4]

Handle

hyh

Vulnerability details

Impact

Using uint256 safe operations for business logic leads to less clear code, potentially hiding issues.

Proof of Concept

_decreaseHoldingAmount doesn't check the amount, doing the subtraction right away: https://github.com/code-423n4/2021-11-nested/blob/main/contracts/NestedFactory.sol#L514

Recommended Mitigation Steps

Add amount control:

require(holding.amount >= _amount, "Overspent")

[maximebrugel]

The amount is already checked in _transferInputTokens

[alcueca]

Checking data integrity in a previous function is not a great practice. The issue is valid.