TSender

Summary

USDT tokens might be lost because of the blacklist mechanism and broken expectation from protocol documentation. This issue persists in all three implementations of the TSender protocol (Yul+Solidity, Huff, Huff with no checks)

Vulnerability Details

TSender protocol documentation state the following as a known issue:
"Upgradable/Deny List tokens can prevent this contract from working. We expect that, in the case that this contract or any recipient is on a deny list, the entire transaction will revert."

But in fact, one of the expected tokens integrations doesn't follow this rule (USDT on Ethereum Mainnet).
The issue is, USDT contract on Ethereum Mainnet allows tokens to be transferred to blacklisted addresses.
So if one of the recipients of the airdrop is USDT blacklisted address, the tokens would be sent to that address and the entire transaction won't be reverted!

This is unaligned with information in the documentation (broken expectation).

Impact

USDT tokens that were intended for an airdrop may be forever lost.

Tools Used

Manual analysis, unit tests

Recommendations

Change assumptions, expectations and edit the dicumentation to align with this issue.