From 6eeda01a427dce914b74c6a1f47c0a299b212db9 Mon Sep 17 00:00:00 2001
From: cryptotechmaker <grigore.cosmin@gmail.com>
Date: Fri, 15 Sep 2023 23:57:00 +0300
Subject: [PATCH 1/2] CU-85ztxzhem: whitelist exercise option

---
 contracts/tOFT/modules/BaseTOFTOptionsModule.sol | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/contracts/tOFT/modules/BaseTOFTOptionsModule.sol b/contracts/tOFT/modules/BaseTOFTOptionsModule.sol
index 47f0cf74..61f83ff9 100644
--- a/contracts/tOFT/modules/BaseTOFTOptionsModule.sol
+++ b/contracts/tOFT/modules/BaseTOFTOptionsModule.sol
@@ -83,8 +83,17 @@ contract BaseTOFTOptionsModule is TOFTCommon {
         ITapiocaOptionsBrokerCrossChain.IExerciseLZSendTapData
             calldata tapSendData,
         ICommonData.IApproval[] calldata approvals,
-        bytes calldata adapterParams
+        bytes calldata adapterParams,
+        ICluster _cluster
     ) external payable {
+        require(
+            _cluster.isWhitelisted(
+                lzData.lzDstChainId,
+                tapSendData.tapOftAddress
+            ),
+            "TOFT_UNAUTHORIZED"
+        ); //fail fast
+
         bytes32 toAddress = LzLib.addressToBytes32(optionsData.from);
 
         (uint256 paymentTokenAmount, ) = _removeDust(
@@ -190,6 +199,11 @@ contract BaseTOFTOptionsModule is TOFTCommon {
                 )
             );
 
+        require(
+            _cluster.isWhitelisted(0, tapSendData.tapOftAddress),
+            "TOFT_UNAUTHORIZED"
+        ); //fail fast
+
         optionsData.paymentTokenAmount = _sd2ld(amountSD);
         uint256 balanceBefore = balanceOf(address(this));
         bool credited = creditedPackets[_srcChainId][_srcAddress][_nonce];

From 0668692d3f0fb5a02d358feebdb1c5102b8b6099 Mon Sep 17 00:00:00 2001
From: cryptotechmaker <grigore.cosmin@gmail.com>
Date: Sat, 16 Sep 2023 00:15:37 +0300
Subject: [PATCH 2/2] CU-85ztxzhem: minor fix

---
 contracts/tOFT/modules/BaseTOFTOptionsModule.sol | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/contracts/tOFT/modules/BaseTOFTOptionsModule.sol b/contracts/tOFT/modules/BaseTOFTOptionsModule.sol
index 61f83ff9..92050b92 100644
--- a/contracts/tOFT/modules/BaseTOFTOptionsModule.sol
+++ b/contracts/tOFT/modules/BaseTOFTOptionsModule.sol
@@ -83,11 +83,10 @@ contract BaseTOFTOptionsModule is TOFTCommon {
         ITapiocaOptionsBrokerCrossChain.IExerciseLZSendTapData
             calldata tapSendData,
         ICommonData.IApproval[] calldata approvals,
-        bytes calldata adapterParams,
-        ICluster _cluster
+        bytes calldata adapterParams
     ) external payable {
         require(
-            _cluster.isWhitelisted(
+            cluster.isWhitelisted(
                 lzData.lzDstChainId,
                 tapSendData.tapOftAddress
             ),
@@ -200,7 +199,7 @@ contract BaseTOFTOptionsModule is TOFTCommon {
             );
 
         require(
-            _cluster.isWhitelisted(0, tapSendData.tapOftAddress),
+            cluster.isWhitelisted(0, tapSendData.tapOftAddress),
             "TOFT_UNAUTHORIZED"
         ); //fail fast