Vulnerability Details

This is an informational finding and not a security assessement. Since there is no informational severity I chose low.

First comment:

File TSender.sol line 66:

// recipients.offset actually points to the recipients.length offset, not the first address of the array offset

Unless I'm not understanding this correctly, this comment is wrong. recipients.offset does actually point to the first value in the array. In case of the function airdropERC20, recipients.offset would point to 0xa4. To get the recipients.length offset it is 0x84. Or you can get it by accessing the second value of the calldata and adding 0x04.

Second comment:

File TSender.huff, macro AIRDROP_ERC20:
[NUMBER_OF_AMOUNTS_OFFSET_OFFSET] calldataload // [amounts.offset, token_address, total_amount]

In many lines of this macro, the comment amounts.offset is added to refer to the offset of the length value ( - 0x04) of the amounts array. This is misleading since in solidity/yul amounts.offset refers to the offset of the first value of the amount array. Should be replaced by amounts.length.offset or something similar.