TSender

Cyfrin
DeFiFoundry
15,000 USDC
View results
Submission Details
Severity: low
Invalid

Airdrop Function Allows Sender to Include Themselves as Recipient

Summary

The TSender.sol and TSender.huff contract is designed to facilitate the airdropping of ERC20 tokens to a list of recipients. However, there is a vulnerability where a user can include their own address in the recipient list and airdrop tokens to themselves.

Vulnerability Details

The airdropERC20 function does not prevent the sender (caller) from including their own address in the recipients list. This means that the sender can effectively airdrop tokens to themselves. Here is a step-by-step breakdown of the issue:

  1. Transfer From Sender: The function first transfers the total amount of tokens from the sender to the contract itself.

  2. Loop Through Recipients: The function then loops through the recipients and transfers the specified amounts to each recipient.

  3. Self-Inclusion: The sender can include their own address in the recipients list and specify any amount of tokens to be transferred to themselves.

In this example, the sender add himself as recipient and receive all the airdrop tokens:

function testAirDropToSender(uint128 totalAmount, address sender) public {
vm.assume(sender != address(0));
vm.assume(totalAmount != 0);
uint256 NUMBER_OF_CONTRACTS = 2;
// Arrange
vm.startPrank(sender);
mockERC20.mint(totalAmount * NUMBER_OF_CONTRACTS);
mockERC20.approve(address(yulTSender), totalAmount);
mockERC20.approve(address(huffTSender), totalAmount);
vm.stopPrank();
address[] memory recipients = new address[](1);
address receipient = sender;
recipients[0] = receipient;
uint256[] memory amounts = new uint256[](1);
amounts[0] = totalAmount;
bytes4 selector = TSender.airdropERC20.selector;
bytes memory data = abi.encodeWithSelector(selector, address(mockERC20), recipients, amounts, totalAmount);
// Act
vm.startPrank(sender);
(bool succYul,) = address(yulTSender).call(data);
(bool succHuff,) = address(huffTSender).call(data);
vm.stopPrank();
// Assert
assert(succYul == succHuff);
assert(mockERC20.balanceOf(sender) == totalAmount * NUMBER_OF_CONTRACTS);
}

Impact

Malicious actors may repeatedly exploit this vulnerability to create the illusion of broader token distribution while retaining a significant portion of the airdrop.

Tools Used

Foundry

Recommendations

To mitigate this vulnerability, the contract should include a check to ensure that the sender's address is not included in the recipients list.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.