LF-13902 Callbacks for HyperswapV, LaminarV3, XSwap and RabbitSwap [IHyperswapV3Factory v1.0.0,IHyperswapV3QuoterV2 v1.0.0,LiFiDEXAggregator v1.10.0]

[mirooon]

Which Jira task belongs to this PR?

LF-13902

Why did I implement it this way?

Checklist before requesting a review

• I have performed a self-review of my code
• This pull request is as small as possible and only tackles one problem
• I have added tests that cover the functionality / test the bug
• For new facets: I have checked all points from this list: https://www.notion.so/lifi/New-Facet-Contract-Checklist-157f0ff14ac78095a2b8f999d655622e
• I have updated any required documentation

Checklist for reviewer (DO NOT DEPLOY and contracts BEFORE CHECKING THIS!!!)

• I have checked that any arbitrary calls to external contracts are validated and or restricted
• I have checked that any privileged calls (i.e. storage modifications) are validated and or restricted
• I have ensured that any new contracts have had AT A MINIMUM 1 preliminary audit conducted on by <company/auditor>

[coderabbitai]

Walkthrough

This update introduces new DEX integrations to the LiFiDEXAggregator contract, adds corresponding Solidity interface files, and expands the test suite with new contracts for HyperswapV3, LaminarV3, XSwapV3, RabbitSwap, and EnosysDexV3. Deployment metadata and configuration files for several networks are updated or added to reflect new contract addresses and versions. An audit entry for version 1.10.0 of the LiFiDEXAggregator contract is also added.

Changes

Files/Groups	Change Summary
src/Periphery/LiFiDEXAggregator.sol	Incremented version to 1.10.0, added multiple new swap callback functions, and enhanced validation in swapUniV3.
src/Interfaces/IHyperswapV3Factory.sol, src/Interfaces/IHyperswapV3QuoterV2.sol	Added new interfaces for HyperswapV3 factory and quoter.
test/solidity/Periphery/LiFiDEXAggregator.t.sol	Refactored aggregator initialization, standardized test naming, and added new test contracts for additional DEXes.
deployments/arbitrum.staging.json, deployments/xdc.staging.json, deployments/hyperevm.staging.json, deployments/flare.staging.json	Added or updated staging deployment configuration files with new aggregator addresses.
deployments/_deployments_log_file.json	Appended new staging deployment entries for versions 1.9.0 and 1.10.0 across multiple networks.
audit/auditLog.json	Added new audit entry "audit20250608" and linked it to version 1.10.0 of the LiFiDexAggregator contract.

Possibly related PRs

• feat: add callback in LiFiDEXAggregator [LiFiDEXAggregator v1.5.0] #832: Both PRs modify the LiFiDEXAggregator contract by adding multiple new swap callback functions to support additional DEX integrations, extending the callback handling capabilities of the contract.
• missing audit reports added for LiFiDEXAggregator #956: Both PRs add audit entries for the LiFiDexAggregator contract but for different versions, updating the audit log metadata.
• Add cantina competition to audit log #1135: Both PRs add distinct audit entries and link them to contract versions in the audit log, related by audit metadata management.

Suggested labels

AuditCompleted

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• JIRA integration encountered authorization issues. Please disconnect and reconnect the integration in the CodeRabbit UI.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2de2769 and 69b4608.

⛔ Files ignored due to path filters (1)

• audit/reports/2025.06.08_LiFiDexAggregator(v1.10.0).pdf is excluded by !**/*.pdf

📒 Files selected for processing (1)

• audit/auditLog.json (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• audit/auditLog.json

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: enforce-min-test-coverage
• GitHub Check: run-unit-tests
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: generate-tag

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[lifi-action-bot]

🤖 GitHub Action: Security Alerts Review 🔍

🟢 Dismissed Security Alerts with Comments
The following alerts were dismissed with proper comments:

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Casting a large uint to int (even at same byte width) may lead to overflow. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/uint-to-int-conversion
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: safe. The amountIn value comes from the pool’s reserves, which are much smaller than the maximum number allowed by int256

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Calling a function without checking the return value may lead to silent failures. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unused-return-function-call
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: The return value from IUniswapV3Pool(pool).swap() is not needed because the result is handled by the callback function uniswapV3SwapCallback

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: expected and safe. If the call fails, the whole transaction reverts,

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Parameters passed to a constructor that are not validated for correct values may lead to contract creation in an undesired state. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/no-parameter-validation-in-constructor
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: The _owner is already validated in the constructor and the priviledged array t is optiona

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 The contract uses low-level calls without properly verifying the input parameters, potentially leading to unexpected behavior or vulnerabilities. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/low-level-call-params-verified
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: using low-level call to handle non-compliant ERC20s like USDT (returns no bool on approve) This pattern is widely used and handles both compliant and non-compliant tokens safely

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Using a payable fallback (including receive) with no access control may lead to inadvertently locked funds. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/no-access-control-payable-fallback
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: Necessary for native unwrapping

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Parameters passed to a constructor that are not validated for correct values may lead to contract creation in an undesired state. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/no-parameter-validation-in-constructor
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: We as the deployer ensure that all constructor parameters, including _bentoBox address, are validated off-chain prior to deployment. This contract is only deployed via automated scripts with predefined, verified inputs. On-chain checks for zero addresses are therefore not requir

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Calling a function without checking the return value may lead to silent failures. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unused-return-function-call
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: The return value is not critical for execution flow and is therefore intentionally ignored.

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Calling a function without checking the return value may lead to silent failures. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unused-return-function-call
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: 3rd returned value intentionally ignored

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Calling a function without checking the return value may lead to silent failures. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unused-return-function-call
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: return values unused. function reverts on failure

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Calling a function without checking the return value may lead to silent failures. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unused-return-function-call
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: return values unused would be unsued and function reverts on failure

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Unchecked zero values passed as parameters may be in error or an indication of potentially insecure code design. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/zero-as-parameter
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: Token being zero will revert (nonexistent token), and zero address as spender can’t benefit Safe by design

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Unchecked zero values passed as parameters may be in error or an indication of potentially insecure code design. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/zero-as-parameter
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: TODO: Unrealated to this PR

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Unchecked zero values passed as parameters may be in error or an indication of potentially insecure code design. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/zero-as-parameter
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: TODO Unrelated to this PR

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Unchecked zero values passed as parameters may be in error or an indication of potentially insecure code design. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/zero-as-parameter
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: The amountIn value is always set before this point and only passed here if it is greater than zero

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Unchecked zero values passed as parameters may be in error or an indication of potentially insecure code design. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/zero-as-parameter
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: Not crucial, it would fail anyway

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Unchecked zero values passed as parameters may be in error or an indication of potentially insecure code design. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/zero-as-parameter
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: True but we as a deployer make sure that this param is not zero address

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Making an external call without a gas budget may consume all of the transaction's gas, causing it to revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/call-without-gas-budget
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: It’s wrapped with a success check and fallback decoding logic to handle both cases safely

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 Using a payable fallback (including receive) with no explicit functionality may indicate incomplete contract logic. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/empty-payable-fallback
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: This empty receive() function is required to support native token unwrapping

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: If the swap fails, the whole transaction reverts

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: if the Curve pool is invalid or the call fails, the transaction reverts as expected

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: If the swap fails, the whole transaction reverts

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: The swap() call is expected to revert if the pool doesn't support the swap or the input is invalid

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: swap() call is a normal part of the router logic and only happens when inputs are valid

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: False positive
🔹 Dismiss Comment: no risk of denial

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: reverting the entire transaction if any single swap fails is intended behavior. Desired for swap routing

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: reverting the entire transaction if any single swap fails is intended behavior. Desired for swap routing

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: reverting the entire transaction if any single swap fails is intended behavior. Desired for swap routing

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: reverting the entire transaction if any single swap fails is intended behavior. Desired for swap routing

🟢 View Alert - File: src/Periphery/LiFiDEXAggregator.sol
🔹 External calls in a loop may lead to denial of service if those calls revert. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/calls-in-loop
🔹 Dismiss Reason: Won't fix
🔹 Dismiss Comment: reverting the entire transaction if any single swap fails is intended behavior. Desired for swap routing

✅ No unresolved security alerts! 🎉

[lifi-action-bot]

Test Coverage Report

Line Coverage: 83.93% (2289 / 2727 lines)
Function Coverage: 89.58% ( 387 / 432 functions)
Branch Coverage: 54.56% ( 305 / 559 branches)
Test coverage (83.93%) is above min threshold (82%). Check passed.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

src/Interfaces/IHyperswapV3QuoterV2.sol (2)

8-14: Document struct fields for clarity
Consider adding @param NatSpec tags for each member of QuoteExactInputSingleParams to enhance generated documentation and readability.

---

16-36: Fix NatSpec tags for parameters
The detailed parameter descriptions lack @param prefixes, which are required for proper NatSpec parsing. For example:

-/// tokenIn The token being swapped in
+/// @param tokenIn The token being swapped in

test/solidity/Periphery/LiFiDEXAggregator.t.sol (1)

2008-2015: Multi-hop swaps are not supported for HyperswapV3.

The test correctly identifies that HyperswapV3 doesn't support multi-hop swaps due to the require(amountSpecified != 0, 'AS') check in the pool's swap function. Since ProcessOnePool always passes amountSpecified = 0, this prevents chaining V3 pools.

Consider documenting this limitation in the main contract or creating a tracking issue for future enhancement if multi-hop support is needed.

Would you like me to create an issue to track this limitation or document it in the contract?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 28e407f and d81742a.

📒 Files selected for processing (8)

• deployments/_deployments_log_file.json (2 hunks)
• deployments/arbitrum.diamond.staging.json (1 hunks)
• deployments/arbitrum.staging.json (1 hunks)
• deployments/xdc.staging.json (1 hunks)
• src/Interfaces/IHyperswapV3Factory.sol (1 hunks)
• src/Interfaces/IHyperswapV3QuoterV2.sol (1 hunks)
• src/Periphery/LiFiDEXAggregator.sol (2 hunks)
• test/solidity/Periphery/LiFiDEXAggregator.t.sol (4 hunks)

🧰 Additional context used

🧠 Learnings (4)

deployments/xdc.staging.json (1)

Learnt from: 0xDEnYO
PR: lifinance/contracts#819
File: deployments/fuse.json:24-25
Timestamp: 2024-10-09T03:47:21.269Z
Learning: The `LiFiDEXAggregator.sol` contract is located in `src/Periphery/`.

deployments/_deployments_log_file.json (1)

undefined

<retrieved_learning>
Learnt from: 0xDEnYO
PR: #832
File: deployments/_deployments_log_file.json:23712-23720
Timestamp: 2024-12-04T01:59:34.045Z
Learning: In deployments/_deployments_log_file.json, duplicate deployment entries for the same version and address may occur because they correspond to deployments on different networks. These entries are acceptable and should not be flagged as duplicates in future reviews.
</retrieved_learning>

src/Periphery/LiFiDEXAggregator.sol (3)

Learnt from: 0xDEnYO
PR: lifinance/contracts#819
File: deployments/bsc.json:48-48
Timestamp: 2024-10-04T09:00:06.744Z
Learning: The `LiFiDEXAggregator` contract does not include a `swapAndCompare` function.

Learnt from: 0xDEnYO
PR: lifinance/contracts#819
File: deployments/bsc.json:48-48
Timestamp: 2024-10-09T03:47:21.269Z
Learning: The `LiFiDEXAggregator` contract does not include a `swapAndCompare` function.

Learnt from: 0xDEnYO
PR: lifinance/contracts#819
File: deployments/fuse.json:24-25
Timestamp: 2024-10-09T03:47:21.269Z
Learning: The `LiFiDEXAggregator.sol` contract is located in `src/Periphery/`.

test/solidity/Periphery/LiFiDEXAggregator.t.sol (2)

Learnt from: mirooon
PR: lifinance/contracts#1117
File: test/solidity/Periphery/LiFiDEXAggregator.t.sol:111-127
Timestamp: 2025-05-06T09:09:38.108Z
Learning: The `setupApechain()` function in LiFiDEXAggregator tests intentionally avoids calling `initTestBase()` to prevent needing to define standard contracts (like ADDRESS_USDC_PROXY and Uniswap) that aren't needed for Apechain-specific tests.

Learnt from: 0xDEnYO
PR: lifinance/contracts#819
File: deployments/fuse.json:24-25
Timestamp: 2024-10-09T03:47:21.269Z
Learning: The `LiFiDEXAggregator.sol` contract is located in `src/Periphery/`.

🪛 GitHub Actions: VersionControlAndAuditVerification

src/Periphery/LiFiDEXAggregator.sol

[error] 1-1: Could not find any logged audit for contract LiFiDEXAggregator in version 1.10.0.

🪛 GitHub Actions: Security Alerts Review

src/Periphery/LiFiDEXAggregator.sol

[error] 542-542: Casting a large uint to int (even at same byte width) may lead to overflow.

---

[error] 539-539: Calling a function without checking the return value may lead to silent failures.

---

[error] 539-539: External calls in a loop may lead to denial of service if those calls revert.

---

[error] 94-94: Parameters passed to a constructor that are not validated for correct values may lead to contract creation in an undesired state.

---

[error] 762-762: Unchecked zero values passed as parameters may be in error or an indication of potentially insecure code design.

---

[error] 1421-1421: Making an external call without a gas budget may consume all of the transaction's gas, causing it to revert.

---

[error] 121-121: Using a payable fallback (including receive) with no explicit functionality may indicate incomplete contract logic.

---

[error] 787-787: External calls in a loop may lead to denial of service if those calls revert.

---

[error] 777-777: External calls in a loop may lead to denial of service if those calls revert.

---

[error] 762-762: External calls in a loop may lead to denial of service if those calls revert.

---

[error] 513-513: External calls in a loop may lead to denial of service if those calls revert.

---

[error] 492-492: External calls in a loop may lead to denial of service if those calls revert.

---

[error] 477-477: External calls in a loop may lead to denial of service if those calls revert.

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: run-unit-tests
• GitHub Check: enforce-min-test-coverage
• GitHub Check: run-unit-tests
• GitHub Check: enforce-min-test-coverage

🔇 Additional comments (13)

deployments/arbitrum.diamond.staging.json (1)

179-179: No functional change
The removal of the trailing newline has no impact on the JSON content or deployments.

deployments/arbitrum.staging.json (1)

56-57: Add LiFiDEXAggregator deployment address
The new "LiFiDEXAggregator": "0x4E992E3A49c61FDE728926A35BAd715303a8223f" entry correctly specifies the upgraded aggregator contract for version 1.10.0. The comma after the previous "ChainflipFacet" is required for valid JSON.

src/Interfaces/IHyperswapV3Factory.sol (3)

1-3: SPDX and pragma are properly declared
The license identifier and Solidity version (^0.8.17) align with the rest of the codebase.

---

4-7: NatSpec header is clear
The title, author, and version tags provide adequate documentation for this new interface.

---

8-19: Interface signature looks correct
The getPool function is well-documented and matches typical Uniswap‐style factory interfaces. Ensure that this parameter ordering and return type match the on-chain HyperswapV3 factory implementation.

src/Interfaces/IHyperswapV3QuoterV2.sol (2)

1-3: SPDX and pragma are properly declared
The license identifier and Solidity version (^0.8.17) are consistent with project standards.

---

4-7: NatSpec header is clear
The title, author, and version tags give concise metadata for the quoter interface.

deployments/xdc.staging.json (1)

1-3: Add XDC staging deployment entry
The new LiFiDEXAggregator address for the XDC network is correctly specified. Please confirm that this minimal JSON file is compatible with the deployment tooling and that other required addresses are inherited or merged appropriately.

src/Periphery/LiFiDEXAggregator.sol (2)

42-42: Version update looks good.

The version bump to 1.10.0 appropriately reflects the addition of new callback functions for HyperswapV3 and LaminarV3 integrations.

---

726-732:

❓ Verification inconclusive

Verify HyperswapV3 callback security model.

The new hyperswapV3SwapCallback function delegates directly to uniswapV3SwapCallback, relying on the lastCalledPool validation. Please ensure that HyperswapV3 pools are compatible with this security model and that the callback validation is sufficient.

Consider adding a comment documenting that this callback is specifically for HyperswapV3 pools and explaining the security model.

---

🏁 Script executed:

#!/bin/bash
# Search for HyperswapV3 interface definitions to understand the expected callback behavior
fd -e sol -x grep -l "IHyperswapV3" {} \; | head -10 | xargs -I {} grep -A 10 -B 2 "SwapCallback\|hyperswapV3SwapCallback" {}

# Look for any HyperswapV3-specific validation or requirements
rg -A 5 -B 5 "HyperswapV3" --type sol

Length of output: 314

---

I wasn’t able to locate any HyperswapV3 definitions or usages with the initial search. Let’s broaden our grep to cover all Solidity files and import lines:

---

🏁 Script executed:

#!/bin/bash
# 1. Find any references to “hyperswapV3” in .sol files
rg --color=never -g '*.sol' -n 'hyperswapV3'

# 2. Look for an IHyperswapV3 interface definition
rg --color=never -g '*.sol' -n 'interface IHyperswapV3'

# 3. Check imports for any Hyperswap-related files
rg --color=never -g '*.sol' -n 'import .*Hyperswap'

# 4. Confirm how lastCalledPool is set/used in the aggregator
rg --color=never -g '*.sol' -n 'lastCalledPool'

# 5. Inspect the uniswapV3SwapCallback implementation
rg --color=never -g '*.sol' -n 'function uniswapV3SwapCallback'

Length of output: 1617

---

I still can’t see the callback implementations and doc comments. Let’s dump the surrounding code for both callback functions:

#!/bin/bash
# Show 10 lines before & after uniswapV3SwapCallback
rg -n -C10 "function uniswapV3SwapCallback" -g '*.sol'

# Show 10 lines before & after hyperswapV3SwapCallback
rg -n -C10 "function hyperswapV3SwapCallback" -g '*.sol'

---

Let’s pull the full implementations around both callbacks for clarity:

#!/bin/bash
# Dump uniswapV3SwapCallback implementation
sed -n '530,630p' src/Periphery/LiFiDEXAggregator.sol

# Dump hyperswapV3SwapCallback implementation
sed -n '720,780p' src/Periphery/LiFiDEXAggregator.sol

---

Verify HyperswapV3 callback security model

File: src/Periphery/LiFiDEXAggregator.sol
Lines: 726–732

+    /// @dev Callback entrypoint for HyperswapV3 pools.
+    ///      Delegates to `uniswapV3SwapCallback` and relies on the `lastCalledPool` check for authenticity.
     function hyperswapV3SwapCallback(
         int256 amount0Delta,
         int256 amount1Delta,
         bytes calldata data
     ) external {
         uniswapV3SwapCallback(amount0Delta, amount1Delta, data);
     }

• Ensure the HyperswapV3 swap entrypoint in this contract sets lastCalledPool before calling into the pool, exactly as the UniswapV3 flow.
• Confirm that HyperswapV3 pools invoke this function with the same callback signature and cannot bypass the lastCalledPool check.
• Add the above NatSpec comment so future readers understand that this callback reuses UniswapV3’s security model but is dedicated to HyperswapV3 pools.

test/solidity/Periphery/LiFiDEXAggregator.t.sol (3)

108-119: Good refactoring to reduce code duplication.

The new _initializeDexAggregator helper function effectively consolidates the repeated initialization logic across different test setups.

---

2136-2143: Multi-hop swaps are also not supported for LaminarV3.

LaminarV3 has the same limitation as HyperswapV3 regarding multi-hop swaps. This consistency suggests it might be a broader V3-style DEX integration pattern.

The single-hop test coverage is comprehensive and follows good testing practices.

---

1847-2144: Tests were actually added despite PR description.

The PR description states that "tests covering the new functionality have not been added," but comprehensive test contracts LiFiDexAggregatorHyperswapV3Test and LiFiDexAggregatorLaminarV3Test were actually implemented. Please update the PR description to reflect the actual changes.

The test coverage includes:

• Single-hop swaps from user funds
• Single-hop swaps from aggregator funds
• Appropriate handling of the multi-hop limitation

Likely an incorrect or invalid review comment.