Trader Joe v2 contest - Randyyy's results

Lines of code

https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/LBToken.sol#L191

Vulnerability details

Impact

the safetransferFrom() didn't check if the from and to args is the same, and on the _transfer() it records the balance of the to address with _toBalance https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/LBToken.sol#L187, then adding the balance based on the _toBalance instead of using the _balances[_id][_to], therefore it will add the value based on the old balance that the to address has. and not the balance that was already substracted on https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/LBToken.sol#L190

exmaple: if your initial balance 100, and you want to make a self transfer for 50, your address will get 150. function _transfer( address _from, address _to, uint256 _id, uint256 _amount ) internal virtual { uint256 _fromBalance = _balances[_id][_from]; // this is 100 if (_fromBalance < _amount) revert LBToken__TransferExceedsBalance(_from, _id, _amount);

    _beforeTokenTransfer(_from, _to, _id, _amount);

    uint256 _toBalance = _balances[_id][_to]; // this is 100

    unchecked {
        _balances[_id][_from] = _fromBalance - _amount; // this will become 50, because 100 - 50
        _balances[_id][_to] = _toBalance + _amount; // but this will become 150, because 100 + 50
    }

    _remove(_from, _id, _fromBalance, _amount);
    _add(_to, _id, _toBalance, _amount);
}

Proof of Concept

https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/LBToken.sol#L191