Minor issue: It is possible to transfer more than user balance when transfering to self with transferFrom

[yaronvel]

In transferFrom first receiver balance is increment and only then spender balance is decremented.
This allows to send more than you have. It is very minor as you send it to your self and total balance is not affected.
However, it is inconsistent with transfer where you first decrements sender balance and only then increment receiver balance.

[frangio]

Great find, @yaronvel!

Just to clarify for everyone who sees this, this is only a minor problem because the sender's balance remains the same. However, attempting a transfer of more than the balance should fail.

I think this is actually an oversight in the ERC20 spec, too. For transfer it specifies that it should throw if the sender doesn't have enough balance, but it doesn't say anything for transferFrom.

Do you want to submit a PR swapping the sub and add lines, @yaronvel?

[yaronvel]

Thanks, I will submit PR soon.
One should also be aware that Transfer event will be logged. So if some services rely on this log (e.g., measure daily volume), it could be a real issue.

[frangio]

That's correct. Thanks for reporting and fixing! (Fixed in #377)