`reclaimErc20Tokens()` can take out REWARD_TOKEN

[hats-bug-reporter[bot]]

Github username: @9olidity Submission hash (on-chain): 0x952e8f7eda8b4491a1d2d95c89e1659a595541d8f82c9462e3cc2fa3ccf483d4 Severity: high

Description: Description\ The function of HoprStake::reclaimErc20Tokens() function is

Reclaim any ERC20 token being accidentally sent to the contract.

However, the function only determines whether the token is LOCK_TOKEN, and does not determine whether the token is REWARD_TOKEN. If the administrator takes out the REWARD_TOKEN in the contract, the _claim() function will not be able to execute normally due to the insufficient number of REWARD_TOKEN in the contract.

This situation is possible. After all, the function considers the situation when tokenaddress is LOCK_TOKEN.

Attack Scenario\

When the administrator executes the reclaimErc20Tokens() function and the input tokenAddress is the REWARD_TOKENaddress

Attachments

1. Proof of Concept (PoC) File

When the administrator executes the reclaimErc20Tokens() function and the input tokenAddress is the REWARD_TOKENaddress

2. Revised Code File (Optional)

   // File: HoprStake.sol
   function reclaimErc20Tokens(address tokenAddress) external onlyOwner nonReentrant {
   uint256 difference;
   +   require(tokenAddress != REWARD_TOKEN);
   if (tokenAddress == LOCK_TOKEN) {
     difference = IERC20(LOCK_TOKEN).balanceOf(address(this)) - totalLocked;
   } else {
     difference = IERC20(tokenAddress).balanceOf(address(this)); 
   }
   IERC20(tokenAddress).safeTransfer(owner(), difference);
   }

[QYuQianchen]

This is expected as the owner can take out excessive unclaimed reward tokens to adjust error in calculation.