Submission Details
Severity:
Hook rejects pools
Root + Impact
Description
-
This hook is designed to work with pairs where ReFi is either
currency0orcurrency1as can be seen from the_isReFiBuy()function having logic for both cases -
The validation logic has mistakenly checked
currency1twice instead of checking bothcurrency0andcurrency1that's why making the hook reject any pool where ReFi iscurrency0and only accept pools where ReFi iscurrency1
function _beforeInitialize(address, PoolKey calldata key, uint160) internal view override returns (bytes4) {
@> if (Currency.unwrap(key.currency1) != ReFi &&
@> Currency.unwrap(key.currency1) != ReFi) { // Checks currency1 twice
revert ReFiNotInPool();
}
return BaseHook.beforeInitialize.selector;
}
Risk
Likelihood:
-
Any attempt to initialize a pool with ReFi as
currency0will always revert -
Restricts protocol to half of possible pool configs
Impact:
-
It limits pool deployment flexibility
Proof of Concept
// SPDX-License-Identifier: MIT
import {Test} from "forge-std/Test.sol";
import {IPoolManager} from "v4-core/interfaces/IPoolManager.sol";
import {PoolKey} from "v4-core/types/PoolKey.sol";
import {Currency} from "v4-core/types/Currency.sol";
import {ReFiSwapRebateHook} from "../src/RebateFiHook.sol";
contract Currency0RejectionTest is Test {
ReFiSwapRebateHook hook;
address refiToken = address(0x123);
address otherToken = address(0x456);
function setUp() public {
IPoolManager poolManager = IPoolManager(address(0x789));
hook = new ReFiSwapRebateHook(poolManager, refiToken);
}
function testRejectsReFiAsCurrency0() public {
PoolKey memory poolKey = PoolKey({
currency0: Currency.wrap(refiToken), // ReFi as currency0
currency1: Currency.wrap(otherToken),
fee: 0x800000,
tickSpacing: 60,
hooks: hook
});
// Should revert with ReFiNotInPool despite ReFi being in the pool
vm.expectRevert(ReFiSwapRebateHook.ReFiNotInPool.selector);
hook.beforeInitialize(address(this), poolKey, 0, "");
}
function testAcceptsReFiAsCurrency1() public view {
PoolKey memory poolKey = PoolKey({
currency0: Currency.wrap(otherToken),
currency1: Currency.wrap(refiToken), // ReFi as currency1
fee: 0x800000,
tickSpacing: 60,
hooks: hook
});
hook.beforeInitialize(address(this), poolKey, 0, "");
}
function testCurrency0LogicUnreachable() public view {
PoolKey memory poolKey = PoolKey({
currency0: Currency.wrap(otherToken),
currency1: Currency.wrap(refiToken),
fee: 0x800000,
tickSpacing: 60,
hooks: hook
});
// Only currency1 path is reachable
bool isReFiCurrency0 = Currency.unwrap(poolKey.currency0) == refiToken;
assertFalse(isReFiCurrency0, "ReFi can never be currency0");
}
}
Recommended Mitigation
function _beforeInitialize(address, PoolKey calldata key, uint160) internal view override returns (bytes4) {
- if (Currency.unwrap(key.currency1) != ReFi &&
- Currency.unwrap(key.currency1) != ReFi) {
+ if (Currency.unwrap(key.currency0) != ReFi &&
+ Currency.unwrap(key.currency1) != ReFi) {
revert ReFiNotInPool();
}
return BaseHook.beforeInitialize.selector;
}
Updates
Lead Judging Commences
chaossr 12 days ago
Submission Judgement Published Assigned finding tags:
Faulty pool check; only checks currency1 twice, omitting currency0.
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.