Incorrect Buy/Sell Classification in _isReFiBuy()
Root + Impact
Description
-
The direction logic incorrectly identifies whether a swap is buying or selling ReFi: if (IsReFiCurrency0) {
return zeroForOne;
} else {
return !zeroForOne;
} This reverses actual Uniswap v4 swap semantics: zeroForOne = true means token0 -> token1, zeroForOne = false means token1 -> token0. [here](https://github.com/CodeHawks-Contests/2025-11-rebatefi-hook/blob/add4b298d1246ad2f1df726216849c1c31f83065/src/RebateFiHook.sol#L185) -
This results in:
-
Buys treated as sells
-
Sells treated as buys
-
Wrong fee applied
-
Incorrect events emitted
-
Misreporting to users and off-chain systems
-
Risk
Likelihood:
Every swap calling _beforeSwap relies on this logic. Thus, misclassification affects all swaps** **in ReFi pools.
Impact:
Incorrect fee applied (buyers charged sell fee and vice-versa)
Proof of Concept
Recommended Mitigation
Use correct swap direction logic:
Lead Judging Commences
Inverted buy/sell logic when ReFi is currency0, leading to incorrect fee application.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.