RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Unbounded Buy/Sell Fees Allow Owner to Soft-Rug Users or Disable Swaps Entirely

eagerpanda582

Root + Impact

Description

Under normal behavior, the contract’s ChangeFee function should allow the owner to update buy and sell fees within reasonable, bounded limits so that swaps remain economically viable and users are protected from abusive fee configurations.

The issue is that the contract allows the owner to set any uint24 value for buyFee and sellFee with no upper bound, no validation, and no safety checks. Since Uniswap V4 fees operate with a / 1e6 denominator, this allows the owner to set fees as high as 16,777,215%, making swaps impossible and enabling soft-rug behavior.

function ChangeFee(

bool _isBuyFee,

uint24 _buyFee,

bool _isSellFee,

uint24 _sellFee

) external onlyOwner {

if(_isBuyFee) @> buyFee = _buyFee;

if(_isSellFee) @> sellFee = _sellFee;

}

// No validation -> owner can set max uint24

Risk

Likelihood:

The fee update function is operational and expected to be used during normal lifecycle management, making misconfiguration highly probable.

Any compromise of the owner key will immediately grant an attacker the ability to set malicious, extreme fees.

Impact:

The owner (or attacker with owner privileges) can set fees extremely high (100%–16M%), making swaps revert or draining nearly all traded tokens.

This enables soft-rug behavior by sharply increasing fees to extract funds from traders without modifying token contracts.

Proof of Concept

// Owner (or attacker with owner key) sets malicious fees:

ChangeFee(true, 1_000_000, true, 16_000_000);

// buyFee = 100%

// sellFee = 1600%

// Uniswap V4 interprets fee as:

// fee / 1e6

// So a user selling 100 tokens:

// fee = 100 * 16_000_000 / 1e6 = 1600 tokens (impossible, drains trade)

// Result:

// - Swap fails due to excessive fee

// - Or user receives nearly 0 output, depending on path

Recommended Mitigation

Add a maximum safe fee cap and enforce validation:

function ChangeFee(

bool _isBuyFee,

uint24 _buyFee,

bool _isSellFee,

uint24 _sellFee

) external onlyOwner {

- if(_isBuyFee) buyFee = _buyFee;

- if(_isSellFee) sellFee = _sellFee;

+ uint24 MAX_FEE = 30_000; // Example: 3% cap

+ if(_isBuyFee) {

+ require(_buyFee <= MAX_FEE, "Buy fee too high");

+ buyFee = _buyFee;

+ }

+ if(_isSellFee) {

+ require(_sellFee <= MAX_FEE, "Sell fee too high");

+ sellFee = _sellFee;

+ }

}

Updates

Lead Judging Commences

chaossr Lead Judge 11 days ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!