search

hats-finance / SafeStaking-by-HOPR-0x607386df18b663cf5ee9b879fbc1f32466ad5a85

HOPR is an open incentivized mixnet which enables privacy-preserving point-to-point data exchange. HOPR is similar to Tor but actually private, decentralized and economically sustainable.
https://hoprnet.org
GNU General Public License v3.0
0 stars 1 forks source link

`ownerRescueBoosterNft` did not check whether `myHoprStake.owner()` is qualified #20

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @9olidity Submission hash (on-chain): 0x48ec22da6f1f0c22ac01d03e06a594cedf720012eb7ee428f33f63e859ef7f13 Severity: low

Description: Description\ ownerRescueBoosterNft did not check whether myHoprStake.owner() is qualified

Attack Scenario\

The reclaimErc721Tokens() function will send nft to the owner of myHoprStake contract. Generally, the owner is the current HoprWhitehat contract address, but here the administrator can modify the owner address of myHoprStake contract through transferBackOwnership(). If myHoprStake::owner is not address (this), then nft cannot be transferred. , this function failed to execute

function ownerRescueBoosterNft(address stakerAddress, uint256 tokenId) external onlyOwner {
    myHoprStake.reclaimErc721Tokens(address(myHoprBoost), tokenId);
    // reclaim erc721 of the lockedAddress
    emit ReclaimedBoost(stakerAddress, tokenId);
    // forward the 721 to the original staker
    myHoprBoost.safeTransferFrom(address(this), stakerAddress, tokenId);
  }

Attachments

  1. Proof of Concept (PoC) File

The administrator executes the transferBackOwnership function to modify the myHoprStake contract owner address.

  1. Revised Code File (Optional) Refer to the code in the gimmeToken() function
function ownerRescueBoosterNft(address stakerAddress, uint256 tokenId) external onlyOwner {
+   require(myHoprStake.owner() == address(this), 'HoprStake needs to transfer ownership');
    myHoprStake.reclaimErc721Tokens(address(myHoprBoost), tokenId);
    // reclaim erc721 of the lockedAddress
    emit ReclaimedBoost(stakerAddress, tokenId);
    // forward the 721 to the original staker
    myHoprBoost.safeTransferFrom(address(this), stakerAddress, tokenId);
  }
QYuQianchen commented 1 year ago

Thank you for the submission. "WhiteHat" contract is retired so no transferownership will happen, nor will it have any impact. Event during its service, the basic trust assumption is that the administrator doesn't perform arbitrary ownership transfer.

QYuQianchen commented 1 year ago

As stated in the contest rules, contracts in "static" folders are out of scope.