Summary

The Tsender.sol__airdropERC20 function does not validate the lengths of the recipients and amounts arrays before accessing their elements. If the arrays are empty or have different lengths, the contract may revert unexpectedly or exhibit undefined behavior.

Vulnerability Details

In the Tsender.sol__airdropERC20 function, the contract expects two arrays as input: recipients and amounts. The recipients array contains the addresses of the recipients who will receive the tokens, and the amounts array contains the corresponding amounts of tokens to be transferred to each recipient.
The vulnerability arises because the function does not validate the lengths of these arrays before accessing their elements. This means that if the arrays are empty or have different lengths, the contract may exhibit undefined behavior or revert unexpectedly.
Here are a few scenarios where this vulnerability can lead to issues:

1. Empty Arrays: If either the recipients or amounts array is empty, the function will still attempt to access elements from these arrays, potentially leading to out-of-bounds access or other undefined behavior.

2. Unequal Array Lengths: If the recipients and amounts arrays have different lengths, the function will eventually access an out-of-bounds index in one of the arrays. This can lead to unexpected behavior or a revert, as the function assumes a one-to-one correspondence between the elements of the two arrays.

3. Unexpected Array Lengths: Even if the arrays have the same length, if the length is different from what the caller expects, the function may perform unintended operations or distribute tokens to unintended recipients.

Recommendations

To mitigate this vulnerability, the solution is to add explicit checks to ensure that the recipients and amounts arrays are not empty and have the same length before accessing their elements. This can be done by adding the following checks at the beginning of the TSender.sol__airdropERC20 function: