Summary

The TSender.sol contract is designed for ERC20 airdrops and it is expected to work with USDT as mentioned on the audit page. However, due to insufficient validation of the transfer and transferFrom functions when using USDT, some recipients may be left without their eligible tokens.

Vulnerability Details

The airdropERC20() function does not check the return value of the transferFrom and transfer functions. Instead, it only checks if the calls do not revert, which is insufficient for ensuring that the token transfer was successful. This is problematic because some ERC20 tokens, such as USDT, do not revert on failures and as a result, the contract may incorrectly assume a transfer was successful when it was not.

Exploit Scenario

• The contract attempts to airdrop tokens to a list of recipients.

• Some of the token transfers fail, but because tokens like USDT do not revert on failiure for transfer and transferFrom, the contract does not detect these failures.

• The airdrop completes without transferring the intended amount of tokens to all recipients, leading to fund loss for those who did not receive their tokens.

Impact

Some airdrop-eligible participants could be left without their tokens due to undetected transfer failures.

Tools Used

Manual code review

Recommendations

To handle the return values of ERC20 transferFrom and transfer functions correctly and ensure compatibility with non-standard ERC20 tokens like USDT, the contract should use the SafeERC20 library from OpenZeppelin.