RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

ReFi token address not validated in constructor

s3mvl4d

Description

The constructor should defensively validate critical addresses (like the designated ReFi token) to prevent deploying the hook in an unusable or dangerous configuration. At minimum, it should reject address(0) and optionally verify that the address looks like an ERC‑20 (e.g., non‑zero totalSupply() or decimals() check), or defer stricter checks to initialization paths.
The hook’s constructor stores the ReFi token address exactly as provided, with no validation. Passing address(0) (or an unintended address) will make subsequent logic (buy/sell detection, pool checks) behave incorrectly and may brick deployments or cause swaps to be misclassified.

// Root cause in the codebase with @> marks to highlight the relevant section

constructor(IPoolManager _poolManager, address _ReFi) BaseHook(_poolManager) Ownable(msg.sender) {

@> ReFi = _ReFi; // <-- no validation; accepts zero address or wrong token

}

Risk

Likelihood: Medium

Occurs during deployments, tests, or upgrade scripts when a parameter is misconfigured, unset, or read from an environment variable that defaults to 0x000...000.
Also likely in multi-chain setups where addresses differ per network and human/operator error is common.

Impact: Medium

Functional breakage / DoS. _beforeInitialize and buy/sell detection rely on comparing pool currencies to ReFi. With ReFi == address(0), the hook may incorrectly treat native currency or unrelated tokens as the target, causing pool initialization to revert or pass erroneously.
Misclassification & wrong fees. _isReFiBuy uses ReFi to decide whether a swap is a buy or sell. A bad ReFi address leads to wrong fee application, unexpected charges, or near‑zero fees where premium fees were intended.

Proof of Concept

A minimal test that shows the constructor accepting a zero address and causing incorrect behavior:

function test_ConstructorAllowsZeroReFiAddress() public {

// Arrange: deploy hook with zero token address

IPoolManager manager = IPoolManager(address(poolManager)); // from setup

ReFiSwapRebateHook badHook = new ReFiSwapRebateHook(manager, address(0));

// Assert: contract state reflects invalid configuration

assertEq(badHook.ReFi(), address(0), "Invalid: zero ReFi address stored");

// Attempt to init a pool where currency0/currency1 != address(0); logic relying on ReFi comparisons is now meaningless.

// Depending on the rest of the code (and the separate bug in beforeInitialize), this can revert or pass incorrectly.

}

Recommended Mitigation

Add explicit validation in the constructor:

constructor(IPoolManager _poolManager, address _ReFi)

BaseHook(_poolManager)

Ownable(msg.sender)

{

- ReFi = _ReFi;

+ require(_ReFi != address(0), "Invalid ReFi address");

+ ReFi = _ReFi;

}

Updates

Lead Judging Commences

chaossr Lead Judge 12 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!