search

hats-finance / SafeStaking-by-HOPR-0x607386df18b663cf5ee9b879fbc1f32466ad5a85

HOPR is an open incentivized mixnet which enables privacy-preserving point-to-point data exchange. HOPR is similar to Tor but actually private, decentralized and economically sustainable.
https://hoprnet.org
GNU General Public License v3.0
0 stars 1 forks source link

gimmeToken function does not check that the contract has pre-funded wxHopr #39

Open hats-bug-reporter[bot] opened 11 months ago

hats-bug-reporter[bot] commented 11 months ago

Github username: @ololade97 Submission hash (on-chain): 0x18511f52b4d81273bbf1d977c649b29aaf4e0388eacf89eb442f5542f4b15724 Severity: high

Description: Description

Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments https://github.com/hoprnet/hoprnet/blob/274b59e409e6bf48c6d7d675de2d9905dcf1f813/packages/ethereum/contracts/src/static/stake/HoprWhitehat.sol

  1. Proof of Concept (PoC) File

    function gimmeToken() external nonReentrant { require(isActive, 'Whitehat is not active'); // ensure STEP 1 require(myHoprStake.owner() == address(this), 'HoprStake needs to transfer ownership'); // ensure STEP 2 require( ERC1820_REGISTRY.getInterfaceImplementer(msg.sender, TOKENS_RECIPIENT_INTERFACE_HASH) == address(this), 'Caller has to set this contract as ERC1820 interface' );

    // store caller to be used throughout the call currentCaller = msg.sender; // updates the rewards inside the accounts mapping struct myHoprStake.sync(currentCaller);

    ( , , , uint256 cumulatedRewards, uint256 claimedRewards ) = myHoprStake.accounts(currentCaller); uint256 stakerEntitledReward = cumulatedRewards - claimedRewards; emit RequestedGimme(currentCaller, stakerEntitledReward);

    // send rewards to HoprStake to make sure claim within unlock works wxHopr.send(address(myHoprStake), stakerEntitledReward, '0x0'); // unlock xHOPR myHoprStake.unlock(currentCaller); }

gimmeToken function relies on wxHopr tokens being pre-funded to the contract's address before calling this function. There is no check that verifies:

  1. Revised Code File (Optional)
QYuQianchen commented 10 months ago

Instructions on how to interact with this contract was communicated publicly.

QYuQianchen commented 10 months ago

As stated in the contest rules, contracts in "static" folders are out of scope.

ololade97 commented 10 months ago

Could you please let me see the said rules? Because I couldn't see where it is stated in the contest rules.

ololade97 commented 10 months ago

I can't see what you pointed out in the contest rules.

I believe providing the said rules as stated on the contest page would solve this.

QYuQianchen commented 10 months ago

Please check the "out of scope" section in https://app.hats.finance/audit-competitions/safestaking-by-hopr-0x607386df18b663cf5ee9b879fbc1f32466ad5a85/scope