Submission Details
Impact:
Likelihood:
Incorrect verification if the swap is buying or selling ReFi token in the _isReFiBuy function
Description
The function RebateFiHook:_isReFiBuy has an incorrect verification to check if the swap is buying or selling the ReFi token.
Impact
The hook doesn't have the correct information if the ReFi tokens are being bought or sold to apply the correct fee.
Proof of Concept:
To check if the ReFi token is being bought, we need to check the zeroForOne variable too. The ReFi token is being bought only when the is currency0 and zeroForOne is false, or when is currency1 and zeroForOne is true, but the function doesn't have this implementation:
/// @notice Determines if a swap is buying or selling ReFi
/// @param key The pool key containing currency information
/// @param zeroForOne The swap direction
/// @return True if buying ReFi, false if selling
function _isReFiBuy(PoolKey calldata key, bool zeroForOne) internal view returns (bool) {
bool IsReFiCurrency0 = Currency.unwrap(key.currency0) == ReFi;
if (IsReFiCurrency0) {
return zeroForOne;
} else {
return !zeroForOne;
}
}
Recommended Mitigation
/// @notice Determines if a swap is buying or selling ReFi
/// @param key The pool key containing currency information
/// @param zeroForOne The swap direction
/// @return True if buying ReFi, false if selling
function _isReFiBuy(PoolKey calldata key, bool zeroForOne) internal view returns (bool) {
bool IsReFiCurrency0 = Currency.unwrap(key.currency0) == ReFi;
- if (IsReFiCurrency0) {
- return zeroForOne;
- } else {
- return !zeroForOne;
- }
+ if ((IsReFiCurrency0 & !zeroForOne) || (!IsReFiCurrency0 && zeroForOne)) {
+ return true;
+ }
+
+ return false;
}
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.