Why is this a critical issue?

Israel_Lazo · May 3, 2024, 6:50pm

I'm testing Defender in my contract and is reporting that the following transferFrom() is insecure in a critical level:

By allowing an arbitrary address to be used as the from parameter, it means that anyone could potentially transfer tokens from someone else's address without proper authorization. This could lead to unauthorized token transfers and potential loss of funds for the token owner.

The address "from" is the contract instance itself.

IERC20(bet.tokenAddress).transferFrom(address(this), feeAddress, totalAmount);

Is this a false positive or am I doing something wrong?

madeindreams · August 23, 2024, 6:15pm

You can use the transfer itself since you are the owner of the tokens.

when your not the owner but are approved.
transferFrom(some_external_address, to_address, amount);

If you are the owner of the tokens
You can just transfer

Israel_Lazo · August 24, 2024, 10:06am

thanks! that makes sense

Topic		Replies	Views
Why is it safe for ERC20.sol transferFrom() to be public? Contracts erc20	3	2548	July 1, 2019
Does require(transferFrom) equal to SafeERC20 library? Contracts	2	519	September 14, 2022
How transferFrom can be used with addresses other than the contract’s own? Contracts	2	2683	June 25, 2020
Transfer user token to contract owner address by contract Smart Contracts erc20 , bep20	3	988	December 2, 2022
Question about the design of ERC20 transferFrom function Contracts erc20 , design , solidity , openzeppelin-contracts	5	709	June 8, 2022

Why is this a critical issue?

Related topics