The airdropERC20 function in the TSender contract does not include a check for duplicate addresses in the recipients array. Although the areListsValid function performs this check, it is not enforced within the airdropERC20 function, allowing duplicate addresses to be processed without validation.
Consider the following non-code PoC scenario demonstrating the issue:
1: An airdrop is planned to distribute 1000 tokens among several recipients.
2: Invalid Lists:
The recipients array contains duplicate addresses: [0x123, 0x456, 0x123, 0x789].
The amounts array includes valid amounts: [100, 200, 300, 400].
3: The airdropERC20 function is called with these invalid lists.
4: Results:
The address 0x123 receives tokens twice (100 + 300 = 400 tokens), while other addresses receive their specified amounts.
Total distributed tokens: 1000 (intended distribution), but with an unintended allocation due to duplicates.
If the recipients array contains duplicate addresses, the same address may receive multiple transfers, leading to unintended token distribution.
Tokens may be distributed to the same address multiple times, which is inefficient and not the intended behavior of an airdrop.
Malicious users could exploit this flaw by including their address multiple times in the recipients array to receive more tokens than intended.
Manual review
To address the lack of duplicate address checks, the airdropERC20 function should call the areListsValid function at the beginning and revert if the validation fails. Here’s how you can integrate the validation:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.