Open hats-bug-reporter[bot] opened 11 months ago
Instructions on how to interact with this contract was communicated publicly.
As stated in the contest rules, contracts in "static" folders are out of scope.
Could you please let me see the said rules? Because I couldn't see where it is stated in the contest rules.
I can't see what you pointed out in the contest rules.
I believe providing the said rules as stated on the contest page would solve this.
Please check the "out of scope" section in https://app.hats.finance/audit-competitions/safestaking-by-hopr-0x607386df18b663cf5ee9b879fbc1f32466ad5a85/scope
Github username: @ololade97 Submission hash (on-chain): 0x18511f52b4d81273bbf1d977c649b29aaf4e0388eacf89eb442f5542f4b15724 Severity: high
Description: Description
Attack Scenario\ Describe how the vulnerability can be exploited.
Attachments https://github.com/hoprnet/hoprnet/blob/274b59e409e6bf48c6d7d675de2d9905dcf1f813/packages/ethereum/contracts/src/static/stake/HoprWhitehat.sol
Proof of Concept (PoC) File
function gimmeToken() external nonReentrant { require(isActive, 'Whitehat is not active'); // ensure STEP 1 require(myHoprStake.owner() == address(this), 'HoprStake needs to transfer ownership'); // ensure STEP 2 require( ERC1820_REGISTRY.getInterfaceImplementer(msg.sender, TOKENS_RECIPIENT_INTERFACE_HASH) == address(this), 'Caller has to set this contract as ERC1820 interface' );
// store caller to be used throughout the call currentCaller = msg.sender; // updates the rewards inside the accounts mapping struct myHoprStake.sync(currentCaller);
( , , , uint256 cumulatedRewards, uint256 claimedRewards ) = myHoprStake.accounts(currentCaller); uint256 stakerEntitledReward = cumulatedRewards - claimedRewards; emit RequestedGimme(currentCaller, stakerEntitledReward);
// send rewards to HoprStake to make sure claim within unlock works wxHopr.send(address(myHoprStake), stakerEntitledReward, '0x0'); // unlock xHOPR myHoprStake.unlock(currentCaller); }
gimmeToken function relies on wxHopr tokens being pre-funded to the contract's address before calling this function. There is no check that verifies: