Open hats-bug-reporter[bot] opened 11 months ago
However, xHOPR tokens are transactional. Simply triggering tokensReceived
has no side effect when whitehat's xHOPR balance is 0
As stated in the contest rules, contracts in "static" folders are out of scope.
Github username: @Rotcivegaf Submission hash (on-chain): 0x41daa1c5ecab36ef829213af707568b8caf36efdc726346634e50fb47bed9bf6 Severity: low
Description:
Description
In the
gimmeToken
andgimmeTokenFor
functions the storage variablecurrentCaller
is set with themsg.sender
/staker
and used in the functiontokensReceived
:https://github.com/hats-finance/SafeStaking-by-HOPR-0x607386df18b663cf5ee9b879fbc1f32466ad5a85/blob/8822abcfa5348b8e1f45c1d9fa5a5135090e0622/packages/ethereum/contracts/src/static/stake/HoprWhitehat.sol#L204
After the call of
gimmeToken
/gimmeTokenFor
, thecurrentCaller
will be the lastmsg.sender
/staker
, allowing the bypass of the requireRecommendation
After used the variable
currentCaller
should be set toaddress(0)
: