In order to be compatible with the uniswap v2 interface, the V3Proxy contract uses a to parameter, whose original intention is to specify the address to which the tokens are to be sent.
But in this protocol tokens are always sent to msg.sender, not to, this is by design.
However, users may misunderstand and mistakenly set different addresses that do not match the intended intent.
Mitigation
require(msg.sender == to, "Swap to self only");
Emphasize this by strictly restricting msg.sender == to
Lines of code
Vulnerability details
Comments
In order to be compatible with the uniswap v2 interface, the V3Proxy contract uses a
to
parameter, whose original intention is to specify the address to which the tokens are to be sent. But in this protocol tokens are always sent to msg.sender, not to, this is by design. However, users may misunderstand and mistakenly set different addresses that do not match the intended intent.Mitigation
Emphasize this by strictly restricting
msg.sender == to
Suggestion
Explain to users in documentation
Conclusion
LGTM