Anybody can become a broker

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0xee15f36654276bee49dc121ecc1d512f5b80f55d0f17ec450e1c272176859071 Severity: high

Description: Description\

In oTAP.sol anybody can become a broker.

Attack Scenario\

This is the brokerClaim() function:

    function brokerClaim() external {
        if (broker != address(0)) revert OnlyOnce();
        broker = msg.sender;
    }

There is a logical error here. The purpose is to call the function only once. But right now anyone can call it after that and become a broker.

To fix the bug change the function to:

    function brokerClaim() external {
        if (broker == address(0)) revert OnlyOnce();
        broker = msg.sender;
    }

[maarcweiss]

Invalid, it is claimed directly from contracts like TapiocaOptionBroker on the init function: https://github.com/Tapioca-DAO/tap-token/blob/ed5d47ef05ddc61c10cd71e7104b44a99c665d55/contracts/options/TapiocaOptionBroker.sol#L489