Submission Details
Impact:
Likelihood:
Missing Zero Address Validation in Constructor
Root + Impact
Description
-
Describe the normal behavior in one or more sentences
-
Explain the specific issue or problem in one or more sentences
The constructor does not validate that the `_ReFi` token address is not the zero address, which could lead to the hook being deployed with an invalid token address, causing all pool validations and swap logic to fail.
**Description**:
* The normal behavior expects the constructor to validate that the ReFi token address is a valid non-zero address before storing it as an immutable value.
* The specific issue is that if `address(0)` is passed as `_ReFi`, the hook will be deployed with an invalid token address, causing `_beforeInitialize` validation to always fail (since no pool will contain the zero address as a token) and `_isReFiBuy` logic to malfunction.
**Root cause in the codebase**:
```solidity
// @> src/RebateFiHook.sol:60-62
constructor(IPoolManager _poolManager, address _ReFi) BaseHook(_poolManager) Ownable(msg.sender) {
ReFi = _ReFi;
}
```
No validation is performed to ensure `_ReFi != address(0)` before assigning it to the immutable `ReFi` variable.
Risk
Likelihood:
-
* This occurs during contract deployment if the deployer accidentally passes `address(0)`
* Accidental misconfiguration during deployment can trigger this
Impact:
-
* Hook deployed with invalid token address cannot be used with any pools
* All pool initializations will fail validation since no pool contains `address(0)` as a token
* Hook becomes completely non-functional and must be redeployed
* Gas wasted on deployment of unusable contract
Proof of Concept
The following demonstrates how a zero address can break the hook:
```solidity
// Scenario: Deployer accidentally passes zero address
address zeroAddress = address(0);
IPoolManager poolManager = ...; // Valid pool manager
// Deployment with zero address:
ReFiSwapRebateHook hook = new ReFiSwapRebateHook(poolManager, zeroAddress);
// Hook deployed with ReFi = address(0)
// Attempt to initialize pool with actual ReFi token:
PoolKey memory key;
key.currency0 = Currency.wrap(actualReFiToken); // 0x1234...
key.currency1 = Currency.wrap(otherToken); // 0x5678...
// Hook's _beforeInitialize() is called:
function _beforeInitialize(...) {
if (Currency.unwrap(key.currency0) != ReFi &&
Currency.unwrap(key.currency1) != ReFi) {
revert ReFiNotInPool();
}
}
// Evaluation: (0x1234 != address(0)) && (0x5678 != address(0)) = true && true = true
// Result: Always reverts! No pool can be initialized because ReFi = address(0)
// Hook is completely unusable
```
**Step-by-step execution:**
1. Deployer calls constructor with `_ReFi = address(0)` (accidental or malicious)
2. Constructor stores `ReFi = address(0)` without validation
3. Hook is deployed but with invalid configuration
4. User attempts to initialize pool with actual ReFi token
5. `_beforeInitialize()` checks if pool contains `address(0)` (it never will)
6. Validation always fails, no pools can be initialized
7. Hook is completely non-functional, must be redeployed
Recommended Mitigation
Add zero address validation in the constructor:
```diff
// src/RebateFiHook.sol:48-50
+ error InvalidReFiAddress();
// src/RebateFiHook.sol:60-62
constructor(IPoolManager _poolManager, address _ReFi) BaseHook(_poolManager) Ownable(msg.sender) {
+ if (_ReFi == address(0)) {
+ revert InvalidReFiAddress();
+ }
ReFi = _ReFi;
}
```
**Explanation:**
- Validate that `_ReFi` is not the zero address before storing
- Revert with clear error message if zero address is provided
- Prevents deployment of non-functional hooks
- Ensures hook can only be deployed with valid token addresses
- Follows best practice of validating constructor parameters
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.