TSender

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Denial-of-Service vulnerability in airdropERC20 function due to large recipient list

tsonevski

Summary

The TSender::airdropERC20 function is vulnerable to a denial-of-service (DoS) attack due to the potential for high gas costs when iterating over a large number of recipients.

Vulnerability Details

The TSender::airdropERC20 function iterates through an array of recipients to transfer ERC20 tokens. If the number of recipients is over 1200, the transaction can exceed block gas limit, causing it to fail.

Impact

TSender::airdropERC20 function can not be used for more than 1200 recipients due to exceeding block gas limit.

Proof of Concept

Paste the test below in Base_Test.t.sol
forge test --mt testAirdropERC20ToLargeNumberOfRecipients --gas-limit 30000000

function testAirdropERC20ToLargeNumberOfRecipients() public {

address sender = makeAddr("sender");

uint256 numRecipients = 1200;

address[] memory recipients = new address[](numRecipients);

uint256[] memory amounts = new uint256[](numRecipients);

uint256 totalAmount = 0;

for (uint256 i = 0; i < numRecipients; i++) {

recipients[i] = address(uint160(i + 1));

amounts[i] = 1;

totalAmount += 1;

}

vm.startPrank(sender);

mockERC20.mint(totalAmount);

mockERC20.approve(address(tSender), totalAmount);

vm.stopPrank();

vm.prank(sender);

vm.expectRevert();

tSender.airdropERC20(address(mockERC20), recipients, amounts, totalAmount);

}

Tools Used

Manual Review
Foundry

Recommendations

Implement a claim functionality where eligible users can claim their airdrop tokens. This approach shifts the gas cost to individual users, reducing the risk of a DoS attack. Users can claim their tokens by calling a claimAirdrop function, verifying their eligibility and receiving the tokens directly.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

256

59 USDC / LOC

High Medium

12,500 USDC

Low

1,375 USDC

Judges

1,125 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.