Opus finding
Numeraire buyback transfers output to recipient using wrong currency (asset instead of numeraire... but inverted) - sends ASSET tokens for a NUMERAIRE buyback
criticalbughigh
- src/dopplerHooks/RehypeDopplerHookMigrator.sol:197-224
In the numeraireBuybackAmountIn branch the migrator swaps in numeraire to buy back asset (zeroForOne = !isToken0). The output of that swap is the asset token. When `routeToBeneficiaryFees` is false the code calls `Currency.wrap(asset).transfer(recipient, numeraireBuybackAmountOutResult)` — which is actually correct because the output IS the asset. However, the symmetric assetBuyback branch (which produces numeraire output) calls `Currency.wrap(numeraire).transfer(recipient, assetBuybackAmountOut)` which is correct. BUT for the direct buyback branches: `assetDirectBuybackAmount` represents asset fees being sent as the asset (directBuybackAmount is in asset units) — it transfers `Currency.wrap(asset)`. `numeraireDirectBuybackAmount` is numeraire-denominated and transferred as `Currency.wrap(numeraire)`. These look consistent. However in the numeraireBuybackAmountInUsed accounting `balance0/balance1` is decremented by `numeraireBuybackAmountInUsed` on the numeraire side, which matches comment. The actual mismatch I want to flag: when isToken0 is true, numeraire is currency1; the comment in the Initializer version states 'numeraireBuybackAmountInUsed is always paid in numeraire' and the accounting subtracts from balance1 in that case — consistent. Re-checking: the assetBuyback output side in the Migrator uses `Currency.wrap(numeraire).transfer(recipient, assetBuybackAmountOut)` which is correct (asset-fees swapped for numeraire). I cannot confirm a swap mismatch — RETRACTING this finding (downgrading to low/no-issue).
Recommendation
Re-verify token wrapping in non-route-to-beneficiary branches; suggest adding unit tests that assert `recipient` receives the expected currency.