TSender

Summary

The WETH contract on the Blast L2 network does not implement the standard ERC-20 transferFrom function properly. Specifically, it lacks the allowance check that ensures the sender has been approved to transfer tokens on behalf of the owner. This missing check causes the transferFrom function to revert breaking the expected behavior of the token and causing transactions that work on other networks to fail on Blast L2.

Vulnerability Details

In the airdrop contracts, the transferFrom function is used to collect the total amount of tokens to be airdropped from the caller to the contract before distributing these tokens to the recipients. This process ensures that the contract holds the total amount of tokens to be distributed which are then sent out to each recipient as specified in the airdrop.

WETH is listed as one of the tokens in the contest page. Blast L2 is one of the chains where the contracts are to be deployed

In a standard ERC-20 implementation, the transferFrom function includes the following logic to check and adjust the allowance:

This ensures that the sender has the required approval to transfer the specified amount of tokens.

The WETH contract on Blast L2 omits this check.

When a smart contract that uses transferFrom for WETH is deployed on Blast L2, it will encounter this issue. During the execution of the transferFrom function, the lack of allowance check causes the function to revert. This leads to the entire transaction failing resulting in a denial of service for the affected contracts.

This issue affects the airdrop contracts deployed on Blast l2 as the attempts to transfer WETH will always revert.

Impact

This issue causes the transferFrom function to always revert on the Blast L2 network due to the absence of a crucial allowance check in the WETH contract. When attempting to distribute WETH tokens using transferFrom, the function will always revert leading to a DOS.

Tools Used

Manual Analysis

Recommendations

implement a custom allowance check.