RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Missing Validation for Zero-Amount Swaps Allows Unintended Hook Execution

ashutoshcshah

Description

In the _beforeSwap function of RebateFiHook.sol, the hook derives the swap amount using:

uint256 swapAmount = params.amountSpecified < 0

? uint256(-params.amountSpecified)

: uint256(params.amountSpecified);

This assumes amountSpecified != 0.

However, in Uniswap V4, swap() calls with amountSpecified == 0 are valid and used for:

oracle updates
triggering hooks
dry runs / sandwich protection
internal router operations

If a user calls swap with amountSpecified = 0, the hook:

Treats the swap as a buy or sell (even though it's neither)
Emits ReFiBought or ReFiSold events with amount = 0
Applies buyFee or sellFee override (even though no swap occurred)
Consumes gas and changes user-facing analytics
May cause systems depending on events (rebates, rewards, airdrops) to mis-execute

This contradicts expected Uniswap V4 hook behavior, where no swap should mean no side effects.

Impact

Unexpected hook execution, including:

Incorrect swap events with zero volume
Gas and execution overhead
Wrong analytics, misleading swap tracking
Potential reward system manipulation (fake swap events)
Fee override applied where it should not be
Possible griefing vector: attacker can spam swap(0) and distort data

Although no funds are lost directly, this introduces correctness risks and ecosystem-wide data corruption.

Most severe scenario:
A protocol relying on ReFiBought / ReFiSold events for rewards or rebates can be exploited with zero-cost swaps.

Proof of Concept

function test_ZeroAmountSwapTriggersHook() public {

// amountSpecified = 0 means no swap is happening

SwapParams memory params = SwapParams({

zeroForOne: true,

amountSpecified: 0,

sqrtPriceLimitX96: TickMath.MAX_SQRT_PRICE - 1

});

// Expect the hook to emit an event (bug)

vm.expectEmit(true, true, true, true);

emit ReFiSwapRebateHook.ReFiBought(address(router), 0);

router.swap(poolKey, params, settings, "");

}

Executing the above emits a buy or sell event despite no swap.

Recommended Mitigation

Add a guard clause early in _beforeSwap:

if (params.amountSpecified == 0) {

return (

BaseHook.beforeSwap.selector,

BeforeSwapDeltaLibrary.ZERO_DELTA,

LPFeeLibrary.KEEP_POOL_FEE // do not override fee

);

}

Updates

Lead Judging Commences

chaossr Lead Judge 12 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!