transferFrom uses arbitrary from SLITHER-W1002
Anti-pattern
Critical
Detect when msg.sender is not used as from in transferFrom.
Exploit Scenario
function a(address from, address to, uint256 amount) public {
erc20.transferFrom(from, to, am);
}
Alice approves this contract to spend her ERC20 tokens. Bob can call a and specify Alice's address as the from parameter in transferFrom, allowing him to transfer Alice's tokens to himself.
Recommendation
Use msg.sender as from in transferFrom.
Learn more
arbitrary-send-erc20 on Slither's wiki.