multiTokenSwapAndTransfer is not checking that the `balance` and `data._depositAmount` are same

[hats-bug-reporter[bot]]

Github username: @aktech297 Twitter username: kaka Submission hash (on-chain): 0x7c5f8813e51765bc895774914befb1723bbc2ca6fad615dee5f53ab04aecf61e Severity: high

Description: Description\ multiTokenSwapAndTransfer is not checking for the data._depositAmount and balance are same.

First the function tansfer token from user for balance of data._depositAmount.

Later, in for loop it decode the token balance and use this to mint.

  if (_token == _depositToken) {
    //Sending encoded balance instead of swap calldata
    balance = abi.decode(data._callData[i], (uint256));
  } 

The issue is , data._depositAmount is very less like 1 wei. but the decoded balance big value.

so by tranferring small amount, user can mint large value. Attachments

1. Proof of Concept (PoC) File code link

2. Revised Code File (Optional) Check both amount values are same.

[langnavina97]

There is no need to check if data._depositAmount and balance are equal. The depositAmount is only used to transfer the token to the batch contract if the input token is not ETH (native). The balance is calculated afterward to reflect the current balance of the deposit handler. @aktech297