TSender

The TSender contract's airdropERC20 function, designed for airdropping ERC-20 tokens, is susceptible to reentrancy attacks if not properly secured. Here's how an attacker could exploit this vulnerability with any ERC-20 token (USDC, USDT, LINK, WETH, etc.):

Attack Scenario:

Malicious Contract Deployment:

The attacker creates a malicious contract (AttackContract) designed for reentrancy exploitation.

Initiating the Airdrop:

The attacker initiates an airdrop transaction using the TSender contract, specifying the AttackContract as one of the recipient addresses.
The airdrop includes the target ERC-20 token (e.g., USDC, USDT, LINK, WETH).

Reentrancy Exploit:

During the airdropERC20 function execution:
The TSender contract transfers the designated ERC-20 amount to each recipient in the list, including the AttackContract.

Crucially, if the airdropERC20 function lacks reentrancy protection:
The AttackContract receives the ERC-20 tokens.
The AttackContract leverages a re-entry mechanism (e.g., fallback function) to call back into the airdropERC20 function recursively before it finishes processing the entire recipient list.

Stealing Tokens (Second Call):

This re-entrant call allows the attacker to exploit the vulnerability.
The airdropERC20 function mistakenly treats this re-entrant call as a new recipient and transfers another portion of the ERC-20 tokens to the AttackContract again.

Multiple Iterations (Optional):

Depending on the AttackContract's design, it might be able to repeat the re-entry process multiple times, stealing a significant amount of the ERC-20 tokens before the original call finishes.

Original Call Completion (Optional):

The original airdropERC20 function might eventually complete, processing the remaining recipients in the airdrop list (excluding the attacker's address).

Impact:

The attacker can steal a significant amount of the ERC-20 tokens intended for the airdrop.
This disrupts the airdrop process and leads to financial losses for the airdrop organizer.
Preventing Reentrancy Attacks in TSender Contract:

SafeERC20 Library Integration: Modify the airdropERC20 function to utilize OpenZeppelin's SafeERC20 library. This library provides wrapper functions for ERC-20 transfers that inherently prevent reentrancy attacks.
Non-Reentrant Modifier: Implement a nonReentrant modifier for the airdropERC20 function. This modifier locks the function during execution, ensuring the entire recipient list is processed before allowing further calls.
Reentrancy Guard Pattern: If modifying the codebase significantly is difficult, consider the reentrancy guard pattern. This pattern uses a boolean flag to track the function's execution state and prevent re-entry attempts.