Summary

The depositTokensToL2 function facilitates the locking of tokens in the vault and triggers the emission of a Deposit event. It is intended for the depositor to initiate the token deposit process. (As mentioned in the natspec)

Vulnerability Details

Slither flagged the use of an "arbitrary from in transferFrom" as a potential vulnerability. However, it seems that the intention is for the depositor to be explicitly specified in the function. No mention of depositing on someone else's behalf is indicated in the function or its documentation.

Impact

The code as structured appears to allow token deposits from a specified address (from) to the vault. The impact could be related to potential confusion caused by the naming of the from parameter, which might suggest the possibility of depositing on behalf of someone else. This could potentially mislead auditors or developers into assuming an unintended functionality, as well as potentially opening up for exploits.

Tools Used

Static analysis [slither] + manual inspection

Recommendations

Change from to use msg.sender instead