TSender

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Airdrop Function Allows Sender to Include Themselves as Recipient

zainab

Summary

The TSender.sol and TSender.huff contract is designed to facilitate the airdropping of ERC20 tokens to a list of recipients. However, there is a vulnerability where a user can include their own address in the recipient list and airdrop tokens to themselves.

Vulnerability Details

The airdropERC20 function does not prevent the sender (caller) from including their own address in the recipients list. This means that the sender can effectively airdrop tokens to themselves. Here is a step-by-step breakdown of the issue:

Transfer From Sender: The function first transfers the total amount of tokens from the sender to the contract itself.
Loop Through Recipients: The function then loops through the recipients and transfers the specified amounts to each recipient.
Self-Inclusion: The sender can include their own address in the recipients list and specify any amount of tokens to be transferred to themselves.

In this example, the sender add himself as recipient and receive all the airdrop tokens:

function testAirDropToSender(uint128 totalAmount, address sender) public {

vm.assume(sender != address(0));

vm.assume(totalAmount != 0);

uint256 NUMBER_OF_CONTRACTS = 2;

// Arrange

vm.startPrank(sender);

mockERC20.mint(totalAmount * NUMBER_OF_CONTRACTS);

mockERC20.approve(address(yulTSender), totalAmount);

mockERC20.approve(address(huffTSender), totalAmount);

vm.stopPrank();

address[] memory recipients = new address[](1);

address receipient = sender;

recipients[0] = receipient;

uint256[] memory amounts = new uint256[](1);

amounts[0] = totalAmount;

bytes4 selector = TSender.airdropERC20.selector;

bytes memory data = abi.encodeWithSelector(selector, address(mockERC20), recipients, amounts, totalAmount);

// Act

vm.startPrank(sender);

(bool succYul,) = address(yulTSender).call(data);

(bool succHuff,) = address(huffTSender).call(data);

vm.stopPrank();

// Assert

assert(succYul == succHuff);

assert(mockERC20.balanceOf(sender) == totalAmount * NUMBER_OF_CONTRACTS);

}

Impact

Malicious actors may repeatedly exploit this vulnerability to create the illusion of broader token distribution while retaining a significant portion of the airdrop.

Tools Used

Foundry

Recommendations

To mitigate this vulnerability, the contract should include a check to ensure that the sender's address is not included in the recipients list.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

256

59 USDC / LOC

High Medium

12,500 USDC

Low

1,375 USDC

Judges

1,125 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.