RebateFi Hook
First Flight #53
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Logical Bug in Pool Validation

sulfurpt

Description

  • The `_beforeInitialize` function contains a critical logical error with duplicate conditions that only check `currency1`, completely ignoring `currency0`. This breaks the fundamental requirement that pools must contain the ReFi token.

function _beforeInitialize(address, PoolKey calldata key, uint160) internal view override returns (bytes4) {
// Duplicate condition - only checks currency1 twice!
@> if (Currency.unwrap(key.currency1) != ReFi &&
@> Currency.unwrap(key.currency1) != ReFi) { // Should check currency0
revert ReFiNotInPool();
}
return BaseHook.beforeInitialize.selector;
}

Risk

Impact:

  • Incorrect pool validation logic

  • May allow pools without ReFi token or block valid pools

  • Hook may not function as intended

Proof of Concept

Add the following to `RebateFiHookTest.t.sol`

function test_BeforeInitializeValidationLogic() public {
PoolKey memory invalidKey = PoolKey({
currency0: ethCurrency,
currency1: tokenCurrency, // Not ReFi token
fee: LPFeeLibrary.DYNAMIC_FEE_FLAG,
tickSpacing: 60,
hooks: rebateHook
});
vm.expectRevert(); // Reverts due to flawed logic
manager.initialize(invalidKey, INITIAL_SQRT_PRICE);
}

Recommended Mitigation

function _beforeInitialize(address, PoolKey calldata key, uint160) internal view override returns (bytes4) {
- if (Currency.unwrap(key.currency1) != ReFi &&
- Currency.unwrap(key.currency1) != ReFi) {
+ if (Currency.unwrap(key.currency0) != ReFi &&
+ Currency.unwrap(key.currency1) != ReFi) {
revert ReFiNotInPool();
}
return BaseHook.beforeInitialize.selector;
}
Updates

Lead Judging Commences

chaossr Lead Judge 10 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Faulty pool check; only checks currency1 twice, omitting currency0.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!