Insufficient Check for recipients in `areListsValid` can cause funds locked if recipient is `address(this)`
Summary
recipients check is not checking if one of the recipients is address(this) leading to loss of funds (getting locked) in case of setting it by mistake.
Vulnerability Details
Tsender.sol/huff::areListsValid() function checks that the recipients and amounts are not zero value. and there is no duplicate recipient. But this check is not sufficient for recipients, as in case the recipient is set to address(this) by mistake this will lead to the loss of funds when airDropping tokens.
As stated by the Sponser, areListsValid will be fired to check that the list of addresses and recipients are valid to prevent any issue happens. and this check (recipients[i] == address(this) is not implemented. which will make the function return true if one of the recipients is address(this).
The problem is that these funds are unrecoverable, as there is a check after distributing that forces the amount sent by the caller to the AirDrop contract be the same as the amount distributed. so the funds will be locked inside the contract and unrecoverable.
This is different from normal Admin Mistake errors. as the idea of areListsValid() function is to let the caller that everything is correct before distributing tokens. and since it will return true in that case, he will fire the function without problems, which will lead to this issue.
Impact
Loss of funds and getting Locked in the AirDrop contract forever
Tools Used
Manual Review
Recommendations
Check that the recipient is not set to address(this)
Tsender::areListsValid()
This check should also be added in the huff version.
Lead Judging Commences
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.