The vulnerability in the TSender_NoCheck.huff
contract arises from the possibility of excess tokens remaining stuck in the contract due to a mismatch between the total allocated amount and the actual sum distributed.
The primary vulnerability lies in the AIRDROP_ERC20 macro in the TSender_NoCheck.huff
contract, where there is no check to ensure that the total amount specified for airdrop matches the sum of the amounts sent to individual recipients. Consequently, any surplus tokens remain trapped within the contract without a designated recipient, unable to be retrieved or utilized.
Example Scenario
totalAmount specified is 1000 tokens.
The amounts array sums up to 600 tokens.
400 tokens will remain in the contract and are effectively locked up.
To get the deployBytecode of the TSender_NoCheck.huff
contract, run:
Financial Loss: The sender might lose tokens as they become irretrievable once stuck in the contract.
Foundry
To mitigate this issue, a solution would involve refunding any surplus tokens back to the sender. This ensures that any excess tokens, which are not allocated to recipients, are promptly returned to the original sender, preventing them from becoming stranded within the contract.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.