Due to lack of input validation , self transfer can happen

[code423n4]

Handle

JMukesh

Vulnerability details

Impact

ERC20Facet.transferFrom() lack the check for the "to" and "from" address , due to which both address can be same causing the self transfer

Proof of Concept

https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/facets/ERC20/ERC20Facet.sol#L147

Tools Used

manual reveiw

Recommended Mitigation Steps

add checks for the input parameters

[0xleastwood]

No direct security concern, marking as non-critical.