'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Rain Disclosed Report
Audit report Rain Smart Contract Audit ContestswapAndBurn Always Fails When baseToken Is WETH
Company
Created date
hidden
hiddenTarget
https://github.com/hackenproof-public/rain-contracts
Vulnerability Details
Summary
_swapAndBurn hardcodes a Uniswap v3 path baseToken -> 3000 -> WETH -> _RAIN_WETH_FEE -> rainToken and uses the Arbitrum WETH address:
- When
baseToken == WETH, the first hop becomesWETH -> 3000 -> WETH, which is an invalid Uniswap v3 pool on Arbitrum. - The
ISwapRouter.exactInputcall therefore always reverts forbaseToken == WETH, so thecatchblock executes and transfers the entireplatformSharetoplatformAddresswithout buying or burning any RAIN.
This means that for any pool configured with WETH as the base token, the buyback/burn mechanism is effectively disabled on Arbitrum: closes always follow the fallback path.
Affected Code
src/RainPool.sol:1534-1583_swapAndBurn:- Hardcodes Arbitrum WETH address
0x82aF49447D8a07e3bd95BD0d56f35241523fBab1. - Constructs
bytes memory path = abi.encodePacked(baseToken, uint24(3000), WETH, _RAIN_WETH_FEE, rainToken);. - On any swap revert, executes
IERC20(baseToken).safeTransfer(platformAddress, amountInBaseToken);.
- Hardcodes Arbitrum WETH address
Impact
- No RAIN buyback/burn for WETH base pools: For any pool where
baseToken == WETH,_swapAndBurnalways reverts and falls back, sending the fullplatformSharetoplatformAddresswithout any RAIN purchase. - Broken tokenomics on Arbitrum for WETH pools: Platform participants may expect WETH-based pools to support buyback/burn, but in practice the mechanism cannot work with the current hard‑coded path.
Validation steps
How to Reproduce (Real Arbitrum Fork)
- Run the dedicated fork test:
- Export an Arbitrum RPC:
export ARBITRUM_RPC_URL=<https url>. - Run
forge test --match-path test/rain035_weth_fork.t.sol --fork-url $ARBITRUM_RPC_URL -vvv.
- Export an Arbitrum RPC:
- The test:
- Forks Arbitrum.
- Deploys a
RainPoolwithbaseToken = WETHusing the real Uniswap v3 router and RAIN token addresses on Arbitrum. - Accrues a non‑zero
platformShareby entering a position. - Calls
closePool(), which in turn calls_swapAndBurn(platformShare).
- On Arbitrum today, there is no
WETH/WETHpool at fee3000, so:ISwapRouter.exactInputreverts on the invalidWETH -> WETHhop.- The test observes no
RainTokenBurnedevent. - The entire
platformShareis transferred directly toplatformAddress(treasury), confirming the fallback path is always taken.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.26;
// RAIN-035 (fork): Prove _swapAndBurn always fails when baseToken is WETH on Arbitrum
// Requires an Arbitrum RPC. Run with:
// ARBITRUM_RPC_URL=<https url> forge test --match-path test/rain035_weth_fork.t.sol --fork-url $ARBITRUM_RPC_URL -vvv
import "forge-std/Test.sol";
import {RainFactory} from "src/RainFactory.sol";
import {RainDeployer, IRainDeployer} from "src/RainDeployer.sol";
import {RainPool} from "src/RainPool.sol";
import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
contract Rain035_Fork_WethBase_AlwaysFallback is Test {
// Mainnet Arbitrum addresses
address constant WETH = 0x82aF49447D8a07e3bd95BD0d56f35241523fBab1;
address constant UNIV3_ROUTER = 0xE592427A0AEce92De3Edee1F18E0157C05861564;
address constant RAIN = 0x25118290e6A5f4139381D072181157035864099d;
function test_Close_Fallback_WhenBaseTokenIsWeth_OnFork() public {
// Ensure we are forking Arbitrum
string memory url = vm.envString("ARBITRUM_RPC_URL");
vm.createSelectFork(url);
RainFactory factory = new RainFactory();
address owner = makeAddr("owner");
address resolverAI = makeAddr("resolverAI");
address treasury = makeAddr("treasury");
RainDeployer impl = new RainDeployer();
bytes memory init = abi.encodeWithSelector(
RainDeployer.initialize.selector,
address(factory),
address(this),
WETH,
treasury,
resolverAI,
RAIN,
UNIV3_ROUTER,
18, // WETH decimals
12,
25,
15 * 1e18,
12,
1
);
RainDeployer dep = RainDeployer(address(new ERC1967Proxy(address(impl), init)));
uint256[] memory w = new uint256[](2);
w[0] = 50;
w[1] = 50;
IRainDeployer.Params memory p = IRainDeployer.Params({
isPublic: true,
resolverIsAI: true,
poolOwner: owner,
startTime: block.timestamp + 1,
endTime: block.timestamp + 100,
numberOfOptions: 2,
oracleEndTime: block.timestamp + 200,
ipfsUri: "ipfs://fork-arb-weth-base",
initialLiquidity: 10_000 ether,
liquidityPercentages: w,
poolResolver: owner
});
// Fund this test address with WETH for initialLiquidity + oracleFixedFee
deal(WETH, address(this), p.initialLiquidity + dep.oracleFixedFee());
ERC20(WETH).approve(address(dep), p.initialLiquidity + dep.oracleFixedFee());
RainPool pool = RainPool(dep.createPool(p));
// Accrue platformShare via a user entry paid in WETH
vm.warp(p.startTime + 2);
address u = makeAddr("u");
deal(WETH, u, 20_000 ether);
vm.startPrank(u);
ERC20(WETH).approve(address(pool), type(uint256).max);
pool.enterOption(1, 20_000 ether);
vm.stopPrank();
// Close pool; with baseToken == WETH, the first hop in the hard-coded path is WETH->WETH at fee 3000,
// which does not exist on Arbitrum, so the swap must revert and fallback executes.
vm.warp(p.endTime + 1);
uint256 plat = pool.platformShare();
uint256 balBefore = ERC20(WETH).balanceOf(treasury);
vm.recordLogs();
pool.closePool();
uint256 balAfter = ERC20(WETH).balanceOf(treasury);
// No RainTokenBurned event should have been emitted
bytes32 burnedSig = keccak256("RainTokenBurned(uint256)");
Vm.Log[] memory logs = vm.getRecordedLogs();
for (uint256 i = 0; i < logs.length; i++) {
assertFalse(
logs[i].topics.length > 0 && logs[i].topics[0] == burnedSig,
"unexpected burn event when baseToken is WETH"
);
}
// Fallback transfer sent platformShare to treasury in WETH
assertEq(balAfter, balBefore + plat, "platform share not transferred via fallback for WETH baseToken");
}
}
Attachments
hidden CommentsReport History
Comments on this report are hidden 
Details Statehidden
hiddenSeverity Low
Bounty$114
Visibilitypartially
VulnerabilityBlockchain
Participants hidden