RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect denominator for fee amount calculation

valya

Root + Impact

Description

It is stated in README.md that standard fee is 0.3%, but in the hook ReFiSwapRebateHook::_beforeSwap the denominator in the formula makes the fee equal 3% provided that sellFee is 3000.

function _beforeSwap(address sender, PoolKey calldata key, SwapParams calldata params, bytes calldata)

internal

override

returns (bytes4, BeforeSwapDelta, uint24)

{

bool isReFiBuy = _isReFiBuy(key, params.zeroForOne);

uint256 swapAmount =

params.amountSpecified < 0 ? uint256(-params.amountSpecified) : uint256(params.amountSpecified);

uint24 fee;

if (isReFiBuy) {

fee = buyFee;

emit ReFiBought(sender, swapAmount);

} else {

fee = sellFee;

@> uint256 feeAmount = (swapAmount * sellFee) / 100000;

emit ReFiSold(sender, swapAmount, feeAmount);

}

return (

BaseHook.beforeSwap.selector,

BeforeSwapDeltaLibrary.ZERO_DELTA,

fee | LPFeeLibrary.OVERRIDE_FEE_FLAG

);

}

Risk

Likelihood:

The issue occurs every time the sellFee is applied to amount in.

Impact:

The user is charged more, than they expected.

Proof of Concept

The test below shows that feeAmount is equal to 3% from the swap amount.

function test_formula() public pure {

uint256 swapAmount = 1 ether;

uint24 sellFee = 3000;

uint256 feeAmount = (swapAmount * sellFee) / 100000;

assertEq(feeAmount, 0.03 ether);

}

Recommended Mitigation

Add a constant with a correct value and use it in the code:

+uint256 public constant SELL_FEE_PRECISION = 1000000;

function _beforeSwap(address sender, PoolKey calldata key, SwapParams calldata params, bytes calldata)

internal

override

returns (bytes4, BeforeSwapDelta, uint24)

{

bool isReFiBuy = _isReFiBuy(key, params.zeroForOne);

uint256 swapAmount =

params.amountSpecified < 0 ? uint256(-params.amountSpecified) : uint256(params.amountSpecified);

uint24 fee;

if (isReFiBuy) {

fee = buyFee;

emit ReFiBought(sender, swapAmount);

} else {

fee = sellFee;

- uint256 feeAmount = (swapAmount * sellFee) / 100000;

+ uint256 feeAmount = (swapAmount * sellFee) / SELL_FEE_PRECISION;

emit ReFiSold(sender, swapAmount, feeAmount);

}

return (

BaseHook.beforeSwap.selector,

BeforeSwapDeltaLibrary.ZERO_DELTA,

fee | LPFeeLibrary.OVERRIDE_FEE_FLAG

);

}

Updates

Lead Judging Commences

chaossr Lead Judge 11 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect denominator (100000 instead of likely 1000000 or 10000) in fee calculation for ReFiSold event.

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!