RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Broken ReFi presence check in _beforeInitialize() prevents pool initialization

ayushmanraj1123

Root + Impact

Description

Normal behavior: _beforeInitialize() should allow pool initialization when either currency0 or currency1 equals the ReFi token address.
Issue: The code checks currency1 twice and never checks currency0, so pools where ReFi is currency0 will revert at initialization and cannot be created using this hook. This is a denial-of-service for legitimate pool creation and prevents the hook from being used as intended.

function _beforeInitialize(address, PoolKey calldata key, uint160) internal view override returns (bytes4) {

// @> BUG: currency1 is checked twice, currency0 never checked

if (Currency.unwrap(key.currency1) != ReFi &&

Currency.unwrap(key.currency1) != ReFi) {

revert ReFiNotInPool();

}

return BaseHook.beforeInitialize.selector;

}

Risk

Likelihood:

Risk1 - This will occur whenever the hook is used to initialize a pool where the ReFi token is supplied as currency0 (owner tries to initialize such pools).
Risk2 - New deployments or test setups that place ReFi at currency0 will consistently hit this check and fail.

Impact:

Impact 1 - Legitimate pool creation is blocked — owner cannot enable the hook on valid pools.
Impact 2 - Disrupts testing and production deployment; may require code patch and redeployment, wasting time and possibly funds.

Proof of Concept - Consider adding a brief explanation that describes how your Proof-of-Concept triggers the issue.

When the owner sets the sell fee to 1,000,000, subsequent swaps encode this fee in the override flag. Because the hook returns this overridden fee to the pool, Uniswap interprets it as a valid LP fee. As a result, a single swap results in nearly all input tokens being taken as fees, effectively freezing trading.

Recommended Mitigation - Consider adding a short explanation that outlines why your proposed mitigation resolves the underlying problem.

- if (Currency.unwrap(key.currency1) != ReFi &&

- Currency.unwrap(key.currency1) != ReFi) {

- revert ReFiNotInPool();

- }

+ if (

+ Currency.unwrap(key.currency0) != ReFi &&

+ Currency.unwrap(key.currency1) != ReFi

+ ) {

+ revert ReFiNotInPool();

+ }

Updates

Lead Judging Commences

chaossr Lead Judge 8 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Faulty pool check; only checks currency1 twice, omitting currency0.

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!