Dust caller in variable `currentCaller` of the contract **HoprWhitehat**

[hats-bug-reporter[bot]]

Github username: @Rotcivegaf Submission hash (on-chain): 0x41daa1c5ecab36ef829213af707568b8caf36efdc726346634e50fb47bed9bf6 Severity: low

Description:

Description

In the gimmeToken and gimmeTokenFor functions the storage variable currentCaller is set with the msg.sender/staker and used in the function tokensReceived:

https://github.com/hats-finance/SafeStaking-by-HOPR-0x607386df18b663cf5ee9b879fbc1f32466ad5a85/blob/8822abcfa5348b8e1f45c1d9fa5a5135090e0622/packages/ethereum/contracts/src/static/stake/HoprWhitehat.sol#L204

After the call of gimmeToken/gimmeTokenFor, the currentCaller will be the last msg.sender/staker, allowing the bypass of the require

Recommendation

After used the variable currentCaller should be set to address(0):

@@ -158,6 +158,8 @@ contract HoprWhitehat is Ownable, IERC777Recipient, IERC721Receiver, ERC1820Impl
     wxHopr.send(address(myHoprStake), stakerEntitledReward, '0x0');
     // unlock xHOPR
     myHoprStake.unlock(currentCaller);
+
+    currentCaller = address(0);
   }

   // entry function to be called by users who can unlock their tokens (users who have rewards)
@@ -187,6 +189,8 @@ contract HoprWhitehat is Ownable, IERC777Recipient, IERC721Receiver, ERC1820Impl
     wxHopr.send(address(myHoprStake), stakerEntitledReward, '0x0');
     // unlock xHOPR
     myHoprStake.unlock(currentCaller);
+
+    currentCaller = address(0);
   }

[QYuQianchen]

However, xHOPR tokens are transactional. Simply triggering tokensReceived has no side effect when whitehat's xHOPR balance is 0

[QYuQianchen]

As stated in the contest rules, contracts in "static" folders are out of scope.