Summary

The areListsValid function in the huff implementation is not declared as pure, resulting in unnecessary gas costs for validation checks that could be performed off-chain or in a pure context. This beats the purpose of this function.

Vulnerability Details

The areListsValid function is designed to perform several validation checks on recipients and amounts arrays. According to the documentation it's purpose is to perform theses checks without cost :

Additionally, we did not want to spend gas checking a few things, so we added a function called areListsValid that takes in a address[] recipients and uint256[] amounts to check for:

• Duplicate addresses

• Zero address sends

• There is at least 1 recipient

• All amounts are > 0

• recipients.length == amounts.length

In the contract TSender.huff the interface airdropERC20 is declared in the same way as the function airdropERC20 which is an external function :

While it's counterpart defined in TSender.sol is a pure function.

The huff documentation says that you can declare an interface as pure or view depending on your need :

Functions can be of type view, pure, payable or nonpayable

Impact

The huff implementation is declared as external, which causes it to consume gas. The function's purpose is purely to check the validity of the input arrays without modifying the state. Even though the impact is low, the functionality of this function does not work as the documentation stipulates. So it does break the invariant of not paying any gas fees when calling this function. Which makes it a medium.

Tools Used

Manual review

Recommendations

Consider the following change :