Why is this a critical issue?

I'm testing Defender in my contract and is reporting that the following transferFrom() is insecure in a critical level:

By allowing an arbitrary address to be used as the from parameter, it means that anyone could potentially transfer tokens from someone else's address without proper authorization. This could lead to unauthorized token transfers and potential loss of funds for the token owner.

The address "from" is the contract instance itself.

IERC20(bet.tokenAddress).transferFrom(address(this), feeAddress, totalAmount);

Is this a false positive or am I doing something wrong?

1 Like