RebateFi Hook
First Flight #53
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: medium
Invalid

Since the `buyFee` state variable can be changed to a non-zero value, the `fee` parameter should be added to the `ReFiBought` event, as well.

farnad

Root + Impact

Description

  • The default value of the ReFiSwapRebateHook::buyFee state variable is set to 0. However, it can be changed by the owner.

  • Therefore, it is recommended to include the fee parameter in the emitted event (similar to the ReFiSold event) for the external and off-chain services to be well informed of the details of the transaction.

  • In addition to the aforementioned change to the event structure, the actual feeAmount should also be calculated in the ReFiSwapRebateHook::_beforeSwap function to be included in the event.

@> event ReFiBought(address indexed buyer, uint256 amount);
.
.
.
function _beforeSwap(address sender, PoolKey calldata key, SwapParams calldata params, bytes calldata)
internal override returns (bytes4, BeforeSwapDelta, uint24) {
bool isReFiBuy = _isReFiBuy(key, params.zeroForOne);
uint256 swapAmount = params.amountSpecified < 0
? uint256(-params.amountSpecified)
: uint256(params.amountSpecified);
uint24 fee;
if (isReFiBuy) {
fee = buyFee;
@> // The feeAmount for buyFee should be calculated and be included in the event (It may be non-zero).
emit ReFiBought(sender, swapAmount);
} else {
fee = sellFee;
uint256 feeAmount = (swapAmount * sellFee) / 100000;
emit ReFiSold(sender, swapAmount, feeAmount);
}
return (
BaseHook.beforeSwap.selector,
BeforeSwapDeltaLibrary.ZERO_DELTA,
fee | LPFeeLibrary.OVERRIDE_FEE_FLAG
);
}

Risk

Likelihood: Medium

  • Since buying the ReFi token makes almost half of the swap transactions, it is fairly likely to happen. And it happens every time a user buys the token.


Impact: Low

  • It does not have any direct effect on the dapp. It can just affect the functionality of the external apps such as the UI.


Proof of Concept

To reproduce the situation, you simply need to:

  1. Run the program in Remix.

  2. Buy the ReFi token.

  3. See the event in the terminal.

Recommended Mitigation

Please make the following adjustments to solve the issue.

- event ReFiBought(address indexed buyer, uint256 amount);
+ event ReFiBought(address indexed buyer, uint256 amount, uint256 fee);
.
.
.
function _beforeSwap(address sender, PoolKey calldata key, SwapParams calldata params, bytes calldata)
internal override returns (bytes4, BeforeSwapDelta, uint24) {
bool isReFiBuy = _isReFiBuy(key, params.zeroForOne);
uint256 swapAmount = params.amountSpecified < 0
? uint256(-params.amountSpecified)
: uint256(params.amountSpecified);
uint24 fee;
+ uint256 feeAmount;
if (isReFiBuy) {
fee = buyFee;
+ feeAmount = (swapAmount * fee) / 1_000_000;
- emit ReFiBought(sender, swapAmount);
+ emit ReFiBought(sender, swapAmount, feeAmount);
} else {
fee = sellFee;
- uint256 feeAmount = (swapAmount * sellFee) / 100000;
+ feeAmount = (swapAmount * fee) / 1_000_000;
emit ReFiSold(sender, swapAmount, feeAmount);
}
return (
BaseHook.beforeSwap.selector,
BeforeSwapDeltaLibrary.ZERO_DELTA,
fee | LPFeeLibrary.OVERRIDE_FEE_FLAG
);
}
Updates

Lead Judging Commences

chaossr Lead Judge 12 days ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!