The TSender.sol
and TSender.huff
contract is designed to facilitate the airdropping of ERC20 tokens to a list of recipients. However, there is a vulnerability where a user can include their own address in the recipient list and airdrop tokens to themselves.
The airdropERC20 function does not prevent the sender (caller) from including their own address in the recipients list. This means that the sender can effectively airdrop tokens to themselves. Here is a step-by-step breakdown of the issue:
Transfer From Sender: The function first transfers the total amount of tokens from the sender to the contract itself.
Loop Through Recipients: The function then loops through the recipients and transfers the specified amounts to each recipient.
Self-Inclusion: The sender can include their own address in the recipients list and specify any amount of tokens to be transferred to themselves.
In this example, the sender add himself as recipient and receive all the airdrop tokens:
Malicious actors may repeatedly exploit this vulnerability to create the illusion of broader token distribution while retaining a significant portion of the airdrop.
Foundry
To mitigate this vulnerability, the contract should include a check to ensure that the sender's address is not included in the recipients list.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.