58741 sc medium action function signatures to 0x settler are wrong

Submitted on Nov 4th 2025 at 11:05:49 UTC by @kenzo for Audit Comp | Alchemix V3

• Report ID: #58741

• Report Type: Smart Contract

• Report severity: Medium

• Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/utils/ZeroXSwapVerifier.sol

• Impacts:

  • Temporary freezing of funds for at least 1 hour

Description

Brief/Intro

Calldata passed to the 0x Settler calls will be incorrect as the action signatures (action to take on 0x Settler) are incorrect and not the same as the ones 0x Settler is familiar with.

Vulnerability Details

In the library above, the different actions have function signatures that specify which action should be taken in 0x Settler but these function signatures are wrong and when encoded along with the call to 0x Settler will result in no action being taken thus failing swaps for example.

library ZeroXSwapVerifier {

    // Constants for 0x Settler function selectors
    bytes4 private constant EXECUTE_SELECTOR = 0xcf71ff4f; // execute(SlippageAndActions,bytes[])
    bytes4 private constant EXECUTE_META_TXN_SELECTOR = 0x0476baab; // executeMetaTxn(SlippageAndActions,bytes[],address,bytes)

    // Action selectors for different swap types
    bytes4 private constant BASIC_SELL_TO_POOL = 0x5228831d;
    bytes4 private constant UNISWAPV3_VIP = 0x9ebf8e8d;
    bytes4 private constant RFQ_VIP = 0x0dfeb419;
    bytes4 private constant METATXN_VIP = 0xc1fb425e;
    bytes4 private constant CURVE_TRICRYPTO_VIP = 0x103b48be;
    bytes4 private constant UNISWAPV4_VIP = 0x38c9c147;
    bytes4 private constant TRANSFER_FROM = 0x8d68a156;
    bytes4 private constant NATIVE_DEPOSIT = 0xc876d21d;
    bytes4 private constant SELL_TO_LIQUIDITY_PROVIDER = 0xf1e0a1c3;
    bytes4 private constant DODOV1_VIP = 0x40a07c6c;
    bytes4 private constant VELODROME_V2_VIP = 0xb8df6d4d;
    bytes4 private constant DODOV2_VIP = 0xd92aadfb;

    ...

}

These function signatures for the external call to the 0x Settler are wrong and will lead to failing swaps in the 99% case and wrong function calls in 0x Settler in the 1% case.

For example, the UNISWAPV3_VIP action type on 0x Settler has the function selector: 0x22ce6ede not 0x9ebf8e8d as the Alchemix team expects it to be. This will force uniswap v3 swap calldata transactions to fail.

This is also the case for all the function selectors in this library as they are wrong.

For reference please see the 0x Settler functions and the selectors they correspond to onchain from the 0x Settler address here: https://etherscan.io/address/0x70bf6634ee8cb27d04478f184b9b8bb13e5f4710#code

For a detailed code view of the 0x Settler contract, look here: https://vscode.blockscan.com/ethereum/0x70bf6634ee8cb27d04478f184b9b8bb13e5f4710

When you get the function selector for the UNISWAPV3_VIP function from the 0x Settler address it is computed as:

Thus, the function signature of the action is 0x22ce6ede and not 0x9ebf8e8d

The same issue affects all other action signatures below:

Impact Details

Swap calls to the 0x Settler contract will not work as the function signatures of the actions will not be found in the contract and the low level calls to the 0x Settler will be successful but the function will not execute.

Also, on another note the EXECUTE_SELECTOR and EXECUTE_META_TXN_SELECTOR are also incorrect but I have decided to highlight it in this single submission too so I don't mistakenly duplicate myself.

References

https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/utils/ZeroXSwapVerifier.sol?utm_source=immunefi

Proof of Concept

Proof of Concept

POC