RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

Constructor Does Not Validate `_ReFi` Address, Allowing Zero Address or Malicious Token

abbaeth

Root + Impact

The constructor accepts an arbitrary _ReFi address without validation. This allows deployment with the zero-address or a malicious/non-ERC20 contract, breaking hook logic and potentially allowing unexpected behavior or permanent malfunction.

Description

Under normal behavior, the hook should be initialized with a valid ERC20 ReFi token address because all swap direction logic depends on correctly identifying this token. A valid token address is essential for fee overrides, buy/sell direction checks, and overall protocol function.

However, the constructor does not validate the _ReFi parameter. This allows the contract to be deployed with:
- the zero address,
- an address that is not an ERC20 token,
- or a malicious contract that reverts or behaves unexpectedly.
This breaks all fee-direction logic in the hook, may cause swaps to revert, and can leave the protocol in an unrecoverable misconfigured state.

Risk

Likelihood:

The contract is deployed only once, and deployment misconfigurations happen frequently in ReFi/DeFi projects due to improper scripts.

No on-chain guardrails exist, so any project operator mistake immediately enters production.

Impact:

Fee logic becomes non-functional, breaking swap routing and causing any pool using the hook to fail.
If a malicious contract is supplied, it can trigger reentrancy, revert-bombs, or arbitrary code execution during fee-logic checks.

Proof of Concept

If _ReFi == address(0), any subsequent swap calls like IERC20(ReFi).transfer(...) will revert, making the hook unusable.
If _ReFi is a malicious contract that reverts or performs arbitrary actions in transfer/balanceOf, every swap that interacts with ReFi will fail or allow an attacker to manipulate state.
This demonstrates how a missing check can cause DoS, locked funds, or uncontrolled behavior in the protocol.

constructor(IPoolManager _poolManager, address _ReFi)

BaseHook(_poolManager)

Ownable(msg.sender)

{

ReFi = _ReFi; // no validation

}

Recommended Mitigation

require(_ReFi != address(0)) prevents accidental zero-address assignment, avoiding swap reverts.
require(_ReFi.code.length > 0) ensures the address is a deployed contract, preventing accidental or malicious assignment of EOA (externally owned accounts).

constructor(IPoolManager _poolManager, address _ReFi)

BaseHook(_poolManager)

Ownable(msg.sender)

{

require(_ReFi != address(0), "Invalid ReFi token");

ReFi = _ReFi;

}

Updates

Lead Judging Commences

chaossr Lead Judge 12 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!