TSender
Cyfrin
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Non-Standard WETH Behavior on Blast L2 Chain Causes Denial of Service in Airdrop Contracts

ro1sharkm

Summary

The WETH contract deployed on the Blast L2 chain does not conform to the standard WETH99 implementation. Specifically, it lacks the following allowance check in its transferFrom function:

if (src != msg.sender && allowance[src][msg.sender] != uint(-1)) {
require(allowance[src][msg.sender] >= wad);
allowance[src][msg.sender] -= wad;
}

As a result, any attempt to use transferFrom with WETH on Blast L2 will always revert, causing a Denial of Service (DoS) in protocols and contracts that assume standard behavior. This bug affects both Solidity and Huff implementations of airdrop contracts.

Vulnerability Details

In this Airdrop contracts, the transferFrom call is used to transfer tokens from the caller to the contract for distribution to the recipients. However, on the Blast L2 chain, any call to transferFrom with WETH will always revert causing the entire airdrop process to fail. The missing allowance check causes any call to transferFrom to always revert, as the function assumes allowance is always insufficient.

Impact

Any attempt to transfer WETH using transferFrom will revert in blast L2. This results in the complete failure of part of the airdrop process as the contract will be unable to acquire the necessary WETH tokens for distribution.

Tools Used

Manual review

Recommendations

Implement custom logic for WETH transfers on Blast L2.This includes adding an allowance check.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.