RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Constructor calls Ownable(msg.sender) (likely incorrect) Root + Impact

smartshielder

Root + Impact

Description

Normal behavior: OpenZeppelin Ownable is typically inherited without a parameter; its constructor sets the owner to msg.sender automatically.

Problem: The contract currently inherits Ownable(msg.sender) in the constructor signature which does not match OZ Ownable recent constructor signatures and may cause compilation or ownership issues.

// Root cause in the codebase with @> marks to highlight the relevant section

constructor(IPoolManager _poolManager, address _ReFi) BaseHook(_poolManager) @> Ownable(msg.sender) {

ReFi = _ReFi;

}

Risk

Likelihood:

This issue surfaces at deployment time.

It depends on the exact OpenZeppelin version installed — may compile incorrectly or produce unexpected owner assignment.

Impact:

Incorrect owner initialization can lead to an unowned contract (if constructor fails or inheritance mismatch) or owner set to an unintended address.

Ownership controls (withdraw, fee changes) would be compromised if owner is wrong.

Proof of Concept

// If OZ Ownable has no parameterized constructor, attempting to compile may fail:

// TypeError: Derived contract must supply base contract arguments

// Or if another Ownable exists with a different signature, owner may be set incorrectly.

Recommended Mitigation

Remove the parameterized Ownable call and rely on OZ default ownership initialization:

- constructor(IPoolManager _poolManager, address _ReFi) BaseHook(_poolManager) Ownable(msg.sender) {

- ReFi = _ReFi;

- }

+ constructor(IPoolManager _poolManager, address _ReFi) BaseHook(_poolManager) {

+ ReFi = _ReFi;

+ // owner is set to msg.sender by OpenZeppelin Ownable constructor automatically

+ }

Updates

Lead Judging Commences

chaossr Lead Judge

14 days ago

chaossr Lead Judge 11 days ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!