RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

ChangeFee Lacks Maximum Fee Validation

seenu1947

Root + Impact

Description

Normal Behavior:
The ChangeFee function allows the contract owner to update buyFee and sellFee. Normally, the function should prevent setting excessive fees that could break protocol economics.
Observed Issue:

The current implementation does not validate fee values:
Problems:
1. Owner can set fees arbitrarily high (e.g., 100% or more).
2. Could break swaps, make transactions economically unviable, or confiscate all user funds.
3. No event emitted, making tracking changes difficult.

function ChangeFee(

bool _isBuyFee,

uint24 _buyFee,

bool _isSellFee,

uint24 _sellFee

) external onlyOwner {

if(_isBuyFee) buyFee = _buyFee; // X No validation

if(_isSellFee) sellFee = _sellFee; // X No validation

}

Risk

Likelihood:

Only owner can call this function, limiting exposure.

Misconfiguration or malicious owner action could still exploit this.

Impact:

Fees could be set to 100% or higher, preventing swaps and user withdrawals.

Users may lose funds or pay excessive fees, breaking trust and protocol usage.

Could cause economic collapse in pools if fees exceed acceptable bounds.

Proof of Concept

// Owner sets absurd fees

ChangeFee(true, 1_000_000, false, 500_000);

// Buggy code: buyFee = 1,000,000 (1000%), sellFee = 500,000 (500%)

// Fixed code: reverts with "Buy fee exceeds maximum" or "Sell fee exceeds maximum"

// No event emitted in buggy code

// Fixed code emits FeeChanged event for tracking

Recommended Mitigation

- if(_isBuyFee) buyFee = _buyFee;

- if(_isSellFee) sellFee = _sellFee;

+ uint24 public constant MAX_FEE = 100000;

+ event FeeChanged(bool isBuyFee, uint24 oldFee, uint24 newFee);

+ if(_isBuyFee) {

+ require(_buyFee <= MAX_FEE, "Buy fee exceeds maximum");

+ emit FeeChanged(true, buyFee, _buyFee);

+ buyFee = _buyFee;

+ }

+ if(_isSellFee) {

+ require(_sellFee <= MAX_FEE, "Sell fee exceeds maximum");

+ emit FeeChanged(false, sellFee, _sellFee);

+ sellFee = _sellFee;

+ }

Updates

Lead Judging Commences

chaossr Lead Judge 12 days ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!