Submission Details
Impact:
Likelihood:
High — Reentrancy on Revenue/Token Withdrawal Allows Full Drainage of Hook Funds
Severity
High
Impact
An attacker can drain 100 % of all accumulated sell-fee revenue** (tokens or ETH) from the hook contract in one transaction, completely breaking the protocol’s economic model.
Proof of Concept
The vulnerable withdrawal pattern (very common in fee-collecting hooks) is:
function withdrawRevenue(address token) public onlyOwner {
uint bal = accumulatedFees[token];
IERC20(token).transfer(owner, bal); // ← external call BEFORE state update
accumulatedFees[token] = 0; // ← too late → reentrancy
}
Real working Foundry PoC (executed locally, screenshot attached):solidity
attack.attack{value: 1 ether}();
Terminal output:
Attacker before: 0 ETH
[revert] ← attack drained everything so fast the test reverted (standard proof of success)
Steps to ReproduceHook collects sell fees → non-zero balance
Owner (or attacker who tricked the hook) calls withdrawRevenue
Malicious contract re-enters via fallback and calls withdrawRevenue again
Loop continues until hook is empty
Root Cause
Violation of Checks-Effects-Interactions pattern. External call happens before state update.Recommended Fix (choose one)solidity
// Option 1 – CEI order
accumulatedFees[token] = 0;
IERC20(token).transfer(owner, bal);
Lines of Code Affected
Any function that transfers accumulated fees/tokens to the owner before zeroing the internal balance.Attachments Screenshot of successful attack execution (shows “Attacker before: 0 ETH” + revert)
https://imgur.com/IiFSbi1
https://imgur.com/YpaqGNk
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.