RebateFi Hook
First Flight #53
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Currency Validation in `_beforeInitialize` Function.

jufel

Description:
_beforeInitialize has an obvious copy-paste bug:
It checks currency1 twice, never checking currency0. The condition simplifies to
if (currency1 != ReFi) revert ReFiNotInPool().

Impact:
Every valid pool using this hook is forced to have ReFi as currency1. It breaks a core protocol invariant and potentially exposing the protocol to misconfiguration and non-standard fee logic.

Proof of Concept:
function test_BeforeInitialize_ForcesReFiToBeCurrency1() public {
// Expect revert with ReFiNotInPool when trying to initialize a pool
// where currency0 == ReFi and currency1 != ReFi.
vm.expectRevert(ReFiSwapRebateHook.ReFiNotInPool.selector);

(key, ) = initPool(
    reFiCurrency,                    // currency0 = ReFi
    tokenCurrency,                   // currency1 = not ReFi
    rebateHook,
    LPFeeLibrary.DYNAMIC_FEE_FLAG,
    SQRT_PRICE_1_1_s
);

}

Mitigation:
Replace the second key.currency1 with key.currency0:

function _beforeInitialize(address, PoolKey calldata key, uint160) internal view override returns (bytes4) {
if (Currency.unwrap(key.currency1) != ReFi &&
- Currency.unwrap(key.currency1) != ReFi) {
+ Currency.unwrap(key.currency0) != ReFi) {
revert ReFiNotInPool();
}
return BaseHook.beforeInitialize.selector;
}
}
Updates

Lead Judging Commences

chaossr Lead Judge 11 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Faulty pool check; only checks currency1 twice, omitting currency0.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!