solidity.security.arbitrary-send-erc20.arbitrary-send-erc20

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

msg.sender is not being used when calling erc20.transferFrom. Example - Alice approves this contract to spend her ERC20 tokens. Bob can call function 'a' and specify Alice's address as the from parameter in transferFrom, allowing him to transfer Alice's tokens to himself.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: arbitrary-send-erc20
    patterns:
      - pattern: $FUNC.transferFrom(...)
      - pattern-not: $FUNC.transferFrom(..., msg.sender, ...)
    message: msg.sender is not being used when calling erc20.transferFrom. Example -
      Alice approves this contract to spend her ERC20 tokens. Bob can call
      function 'a' and specify Alice's address as the from parameter in
      transferFrom, allowing him to transfer Alice's tokens to himself.
    languages:
      - solidity
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      subcategory:
        - audit
      category: security
      technology:
        - solidity
      cwe:
        - "CWE-285: Improper Authorization"
      references:
        - https://github.com/crytic/slither/wiki/Detector-Documentation#arbitrary-from-in-transferfrom
        - https://cwe.mitre.org/data/definitions/285.html
      owasp:
        - A01:2021 - Broken Access Control
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization

Examples

arbitrary-send-erc20.sol

    function a(address from, address to, uint256 amount) public {
        // ruleid: arbitrary-send-erc20
        erc20.transferFrom(address, to, am);
    }

        function b(address from, address to, uint256 amount) public {
        // ok: arbitrary-send-erc20
        erc20.transferFrom(msg.sender, to, am);
    }