Summary

The TSender_NoCheck.huff which supposes to be the huff equivalent of the GasliteDrop::airdropERC20 function according to the documentation, lacks an important check present in the original GasliteDrop::airdropERC20 solidity implementation. This check ensures that the lengths of the amounts and recipients arrays match. The absence of this check could lead to financial loss for the caller.

Vulnerability Details

The documentation mentions the following :

TSender_NoCheck.huff: The Huff implementation without the extra checks, making the output similar to GasliteDrop. Much more gas efficient, but without any safety rails.

And

The TSender_NoCheck.huff does not have the extra checks, but is just a gas optimized version of the original GasliteDrop contract.

This means that TSender_NoCheck.huff is the exact replica of the functionalities of the GasliteDrop contract (the erc20 airdrop part). But with a specificity being a highly gas optimized contract. However, unlike it's original solidity implementation, it lacks the length check.

In the GasliteDrop implementation, the function airdropERC20 starts with the following check :

Impact

The huff implementation does not follow the documentation. Plus, it will lead to loss of funds for the caller if If the amounts array is longer than the recipients array as more tokens would be sent to the contract than the recipients. Any additionnal funds would be forever locked.
Since this goes against the documentation, this has medium severity.

Tools Used

Manual review

Recommendations

Consider adding the following check in the TSender_NoCheck.huff at the begining of the AIRDROP_ERC20 macro :