sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
auditsea commented:
Makes no sense
Closed sherlock-admin closed 7 months ago
sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
auditsea commented:
Makes no sense
sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
auditsea commented:
Makes no sense
nevillehuang
commented
7 months ago Invalid, from address is msg.sender representing the caller, not arbitrary.
tsueti_
medium
Arbitrary from passed to transferFrom (or safeTransferFrom)
Summary
Passing an arbitrary from address to transferFrom (or safeTransferFrom ) can lead to loss of funds, because anyone can transfer tokens from the from address if an approval is made.
Vulnerability Detail
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol:L379
Impact
Code Snippet
Found in ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol Line: 379
Tool used
Manual Review
Recommendation
Avoid passing arbitrary from to transferFrom (or safeTransferFrom)