RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

`uint24` `fee` Variable Causes Revert on Large Swap Transactions

cyfe45

Description

The fee variable is declared as uint24, which has a maximum value of 16_,777,_215. When the fee calculation is corrected to use this variable directly (rather than the current inline calculation), large sell transactions will cause the function to revert due to integer overflow.

function _beforeSwap(

address sender,

PoolKey calldata key,

SwapParams calldata params,

bytes calldata

) internal override returns (bytes4, BeforeSwapDelta, uint24) {

...

@> uint24 fee;

if (isReFiBuy) {

fee = buyFee;

emit ReFiBought(sender, swapAmount);

} else {

fee = sellFee;

uint256 feeAmount = (swapAmount * sellFee) / 100000;

emit ReFiSold(sender, swapAmount, feeAmount);

}

...

}

Risk

Likelihood: Medium

The current inline calculation prevents this issue from manifesting, but any code refactor that assigns the calculated fee directly to the fee variable will trigger reverts on transactions exceeding 16_777_215 tokens. Assuming the fee variable type remains the same.

Impact: High

Large swap transactions will fail, effectively preventing whale trades and limiting protocol scalability. This could result in loss of user trust and trading volume.

Proof of Concept

Run the following test with forge test --mt test_FeeType -vvv:

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.26;

import "forge-std/console.sol";

import {Test} from "forge-std/Test.sol";

contract TestReFiSwapRebateHook is Test {

function test_FeeType() public pure {

uint256 swapAmount = 559_240_534;

uint24 testSellFee = 3000;

uint256 feeAmount = (swapAmount * testSellFee) / 100_000;

console.log("The calculated contract feeAmount:", feeAmount);

assertGt(feeAmount, type(uint24).max, "Swap Amount is fine");

}

Recommended Mitigation

Change the fee variable type from uint24 to uint256 to accommodate large transactions:

- uint24 fee;

+ uint256 fee;

Alternatively, if the return type must remain uint24 for protocol compatibility, validate the fee before returning:

uint256 calculatedFee = (swapAmount * sellFee) / 1_000_000;

require(calculatedFee <= type(uint24).max, "Fee exceeds maximum");

uint24 fee = uint24(calculatedFee);

Updates

Lead Judging Commences

chaossr Lead Judge

15 days ago

chaossr Lead Judge 12 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!