Summary

ERC20 implementations are not always consistent. Some implementations of transfer and transferFrom could return ‘false’ on failure instead of reverting. It is safer to wrap such calls into require() statements or use safe wrapper functions implementing return value/data checks to handle these failures.

Vulnerability Details

function airdropERC20(
address tokenAddress,
address[] calldata recipients,
uint256[] calldata amounts,
uint256 totalAmount
) external {
if (recipients.length != amounts.length) {
revert TSender__LengthsDontMatch();
}
uint256 actualTotal;
bool success = IERC20(tokenAddress).transferFrom(msg.sender, address(this), totalAmount);
if (!success) {
revert TSender__TransferFailed();
}
for (uint256 i; i < recipients.length; i++) {
actualTotal += amounts[i];
if (recipients[i] == address(0)) {
revert TSender__ZeroAddress();
}
@>> IERC20(tokenAddress).transfer(recipients[i], amounts[i]);
}
if (actualTotal != totalAmount) {
revert TSender__TotalDoesntAddUp();
}
}

Impact

transfer may revert.

Tools Used

Recommendations

use safetransfer in place of transfer.