Upon withdraw and withdrawTo, PolygonERC20Wrapper calls _mint and _burn, presumably to be able to generate a burn event.
But it can just emit a burn event, just like how it emits a deposit event in deposit.
This will save the gas of calling and executing the ERC20 functions.
Code ref
Recommended Mitigation Steps
Change _mint and _burn to emit Transfer(user/recipient, address(0), amount).
Handle
kenzo
Vulnerability details
Upon
withdrawandwithdrawTo, PolygonERC20Wrapper calls _mint and _burn, presumably to be able to generate a burn event. But it can just emit a burn event, just like how it emits a deposit event indeposit. This will save the gas of calling and executing the ERC20 functions. Code refRecommended Mitigation Steps
Change _mint and _burn to
emit Transfer(user/recipient, address(0), amount).