Submission Details
Severity:
Incorrect Fee Calculation in Event Emission
Root + Impact
Description
-
Describe the normal behavior in one or more sentences
-
Explain the specific issue or problem in one or more sentences
The fee amount calculation for the `ReFiSold` event uses an incorrect denominator, resulting in fees being reported as 10x higher than actual.
**Description**:
* The normal behavior expects fees to be calculated correctly for event emission to reflect the actual fee charged by the protocol.
* The issue occurs in the `_beforeSwap` function where the fee amount is calculated using `/ 100000` instead of `/ 1000000`, causing the event to emit incorrect fee amounts (10x higher than actual).
**Root cause in the codebase**:
```solidity
// @> src/RebateFiHook.sol:166
uint256 feeAmount = (swapAmount * sellFee) / 100000;
```
According to `LPFeeLibrary.sol`, fees are represented in "hundredths of a bip" where `MAX_LP_FEE = 1,000,000` represents 100%. Therefore, a fee of 3000 represents 0.3% (3000/1,000,000), not 3% (3000/100,000).
Risk
Likelihood:
-
* This occurs on every sell transaction when the event is emitted
* The calculation is deterministic and always produces incorrect values
Impact:
-
* Off-chain systems monitoring events will receive incorrect fee data (10x inflated)
* Analytics dashboards and fee tracking systems will show wrong metrics
* Users and protocol monitoring tools will be misled about actual fees charged
Proof of Concept
The following demonstrates the incorrect fee calculation:
```solidity
// Test scenario: User sells 1000 ReFi tokens with 0.3% fee
uint256 swapAmount = 1000 ether;
uint24 sellFee = 3000; // Intended to represent 0.3% (3000/1,000,000)
// Current buggy implementation in _beforeSwap():
uint256 feeAmount = (swapAmount * sellFee) / 100000;
// Calculation: (1000 * 3000) / 100000 = 30,000,000 / 100000 = 300 ether
// Event emits: ReFiSold(sender, 1000 ether, 300 ether)
// Problem: Reports 300 ether fee (30%) instead of actual 3 ether (0.3%)
// What should happen:
uint256 feeAmount = (swapAmount * sellFee) / 1000000;
// Calculation: (1000 * 3000) / 1000000 = 30,000,000 / 1000000 = 3 ether
// Event emits: ReFiSold(sender, 1000 ether, 3 ether)
// Correct: Reports 3 ether fee (0.3%) matching actual fee charged
```
**Step-by-step execution:**
1. User initiates a sell swap of 1000 ReFi tokens
2. Hook's `_beforeSwap()` is called with `sellFee = 3000`
3. Fee calculation uses wrong denominator: `/ 100000` instead of `/ 1000000`
4. Event `ReFiSold` emits with `feeAmount = 300 ether` (10x inflated)
5. Off-chain systems reading the event see incorrect fee data
6. Analytics dashboards display wrong fee metrics to users
Recommended Mitigation
```diff
// src/RebateFiHook.sol:166
- uint256 feeAmount = (swapAmount * sellFee) / 100000;
+ uint256 feeAmount = (swapAmount * sellFee) / 1000000;
```
Updates
Lead Judging Commences
chaossr 12 days ago
Submission Judgement Published Assigned finding tags:
Incorrect denominator (100000 instead of likely 1000000 or 10000) in fee calculation for ReFiSold event.
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.