Summary

In the Tsender.huff contract the two main functions: airdropERC20 and areListsValid. Both functions operate on arrays of recipient addresses and corresponding token amounts. However, neither function includes a check to ensure that each address in the recipients array is unique.

Proof of concept

1: An attacker or user prepares a list of recipients for the airdrop, intentionally including duplicate addresses.

2: The user calls the airdropERC20 function with the list containing duplicate addresses.

3: The function proceeds to transfer tokens to each address in the recipients array, including the duplicates.

4: The addresses that appear multiple times in the array receive multiple token transfers, leading to an over-distribution.

Impact

1: The same address can receive multiple token transfers, potentially leading to an over-distribution of tokens beyond the intended amount.

2: The presence of duplicate addresses can disrupt the intended distribution logic, causing some recipients to receive more tokens while others may not receive any.

3: Over-distributing tokens can result in financial loss, particularly if the total supply is limited or if the tokens have significant value.

Tools Used

Manual review

Recommendations

To prevent the distribution of tokens to duplicate addresses, the contract should implement a duplicate address check within the airdropERC20 function or areListsValid function. This check should ensure that each address in the recipients array is unique before proceeding with the token transfers.

Recommended Code Change:

Summary of Changes

1: Implemented NON_REENTRANT and RESET_REENTRANCY_GUARD macros to prevent reentrancy attacks.

2: Duplicate Check:

• Added an outer loop to iterate through each recipient.

• Added an inner loop to compare the current recipient with all other recipients.

• If a duplicate is found, the function reverts with a TSender__DuplicateRecipient error.