attacker can burn anyones tokens and steal everyones money

[code423n4]

Lines of code

https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashLogic.sol#L202

Vulnerability details

Impact

attacker can burn tokens and balance of contract is an amount of less or greater in sendtokenreciver function and if receiver is me then tokentransfer can be more than i lended or borrwing,withdrawing and gain me extra tokens. _burn function is called super.burn gives the parm of from and in erc777.sol from isnt the owner only in the burn function that is true  ex:  somehow alice (alice-attacker)  calls _burn super.burn (vitcim,200000,userdata,operaterdata ); alice burns vitcim 20000 amount of tokens and opt.reciver is alice assetinternalCashClaim=2000000; then in the same alice tx   withdrawCashToaccount  is called (opt.reciver is alice with assetinternalcashclaim) in the withdrawcashToaccount function balancebefore lets say is not eth so token.balance of this contract = 20000  then we get the withdraw of the tokens to your account. and then it gets worse  tokenstransfered= which calls _sendTokensReciever(token,reciver,iseth,balancebefore); in _sendtokensReciver balanceafter is the current balance of token of this contract if balancebefore is 100in the pot and balanceafter someone just deposit 1000 tokens then tokensTransfered=1000-100
then it will transfer alice the attacker 900 tokens with out paying for it.

Recommended Mitigation Steps

same check that tokenstransferd variable is state variable and put event around it to check and make from in super.burn function msg.sender

[jeffywu]

It's not clear to me what the reporter is saying here.