RebateFi Hook

Root + Impact

This audit identified 6 critical vulnerabilities and 3 medium-risk issues in the RebateFi Hook smart contract. The protocol implements an innovative asymmetric fee structure for ReFi tokens on Uniswap V4, but contains several security flaws that require immediate attention before production deployment.

[H-1] Pool Initialization Always Fails Due to Logic Error

Location: RebateFiHook.sol:131-137 (_beforeInitialize)

Description:

The _beforeInitialize function contains a critical logic error that checks key.currency1 twice instead of checking both currency0 and currency1. This causes all pool initializations to fail.

Risk

Likelihood:

This occurs on every pool initialization due to incorrect logic. No user interaction needed; deterministic failure.

Impact:

• Protocol completely non-functional - no pools can be initialized

• All deployment attempts will fail

• Users cannot interact with the protocol

Proof of Concept

The condition currency1 != ReFi && currency1 != ReFi is always false, causing the revert when ReFi is not in currency1, even if it's in currency0.

Recommended Mitigation

1. Remove the duplicate key.currency1 and replace it with key.currency0

[H-2] Incorrect Swap Direction Detection Allows Fee Bypass

Location:RebateFiHook.sol:191-199 (_isReFiBuy)

Description:

The _isReFiBuy function has inverted logic that causes incorrect fee application based on swap direction.

Risk

Likelihood:

All swaps are misclassified whenever ReFi is currency0. This can be triggered easily by configuring the pool in this common layout

Impact:

• When ReFi is currency0:

  • zeroForOne=true swaps currency0→currency1 (ReFi→ETH) = SELL, but detected as BUY (0% fee applied to sells!)

  • zeroForOne=false swaps currency1→currency0 (ETH→ReFi) = BUY, but detected as SELL (0.3% fee applied to buys!)

• Completely inverts the economic model

• ReFi sellers avoid fees while buyers are overcharged

• Attackers can structure the pool to always use ReFi as currency0 to exploit this misclassification

• Protocol fails to generate revenue, undermining its tokenomics and fee structure

Proof of Concept

Correct direction logic for different ReFi positions

Recommended Mitigation

1. Invert the condition to properly detect buys when ReFi is either token

[H-3] No Upper Bound on Fees - Owner Can Set Confiscatory Rates

Location: RebateFiHook.sol:87-95 (ChangeFee)

Description:

The ChangeFeefunction allows the contract owner to update the buyFeeand sellFee values used by the _beforeSwap hook. However, there is no upper bound on these values. Since fees are expressed in Uniswap V4 as millionth (1e6), value above 1_000_000 imply a fee greater than 100%, and anything above it violates the Uniswap V4 protocol cap for dynamic fees.

Risk

Likelihood:

This is a privileged operation and can be executed by the owner at any time. It's trivial to trigger and is deterministic

Impact:

• Confiscatory trades - Owner can set sellFee= 1_000_000 resulting in 100% of tokens being taken

• Protocol unusable - Setting an invalid fee causes swaps to revert

• Stealth rug pull - Owner can front-run users by raising fees pre-trade

• Loss of user trust - Arbitrary fees undermine market integrity

Proof of Concept

Recommended Mitigation

1. Set a maximum MAX_FEE as a state variable

2. Set a conditions where _buyFee and _sellFee are below the MAX_FEE threshold

[H-4] Missing Return Value Check on Token Transfer

Location:
RebateFiHook.sol:77 (withdrawTokens)

Description:

The withdrawTokensfunction uses transfer() without checking the return value. Some ERC20 tokens return false on failure instead of reverting.

Risk

Likelihood:

Any ERC20 token using a non-standard transfer()return value (e.g, USDT, MKR, BNB) can trigger this, silently causing fund loss

Impact:

• Silent failure of token withdrawal

• Owner may believe withdrawal succeeded due to event emission

• Funds may become stuck in contract

• Security assumptions about withdrawal logic break

Proof of Concept

Recommended Mitigation

[H-5] No Reentrancy Protection on Token Withdrawal

Location:
RebateFiHook.sol:72-79 (withdrawTokens)

Description:

The withdrawTokensfunction does not implement any reentrancy protection. A malicious token may perform a reentrant call during transfer()if the token contract invokes callbacks or external logic.

Risk

Likelihood:

Medium - Requires a malicious ERC20 token with custom logic. Common in attack scenarios, but unlikely with standard tokens

Impact:

• Reentrant callback can result in repeated withdrawals

• Owner may lose controle of assets

• Full balance can be drained if withdrawal is recursive

Proof of Concept

Recommended Mitigation

1. Recommended to use ReentrancyGuard from OpenZeppelin to prevent from reentrancy attack

[M-1] Incorrect Event Parameter Order

Location:
RebateFiHook.sol:78

Description:

The TokensWithdrawnevent has parameters in wrong order compared to function call

Risk

Likelihood:

High - This is a deterministic mistake and always happen when event is emitted

Impact:

• Off-chain analytics misinterpret withdrawals

• Event logs become misleading

• Audit trails and compliance data are corrupted

Proof of Concept

1. Fixed the correct emission from emit TokensWithdrawn(to, token, amount)to emit TokensWithdrawn(token, to, amount)

Recommended Mitigation

[M-2] No Zero Address Validation

Location:
RebateFiHook.sol:62 (constructor), RebateFiHook.sol:77 (withdrawTokens)

Description:

Missing validation for zero addresses in critical functions

Risk

Likelihood:

Medium - Can occur accidentally or due to misconfiguration

Impact:

• Tokens sent to address(0) are unrecoverable

• ReFi set to zero breaks fee logic

• Malfuction of critical hooks

Proof of Concept

Recommended Mitigation

1. Add a condition to protect against address(0)