Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

ZENO Tokens Incorrectly Redeemed at 1:1 Ratio with USDC, Breaking Zero-Bond Logic

CODESPECT

Summary

The current implementation of ZENO.sol incorrectly allows ZENO tokens to be redeemed at a fixed 1:1 ratio with USDC. This approach is flawed for two key reasons:

  1. Decimal Mismatch – This issue has been raised separately, but it directly impacts the redemption process.

  2. Zero-Bond Pricing Model Ignored – ZENO tokens are intended to function as zero-coupon bonds, meaning they should be purchased at a discount and redeemed at a nominal value upon maturity. However, the current system fails to account for this, effectively forcing users to purchase ZENO at a premium rather than a discount.

Vulnerability Details

According to the documentation, ZENO tokens act as zero-coupon bonds, meaning: (the value is just an example)

  • Users buy ZENO at a discount (e.g., 1 ZENO costs 3000 USDC).

  • Upon maturity, the bondholder should receive the nominal value (e.g., 3500 USDC for 1 ZENO).

However, the current logic does not reflect this structure. When a user purchases ZENO through the buy(...) function in Auction.sol, the cost is calculated as:

cost = amount * price;

This amount of ZENO is minted and held by the user. However, when the user redeems their ZENO in ZENO.sol, the contract incorrectly assumes a 1:1 exchange rate with USDC:

function redeem(uint amount) external nonReentrant {
if (!isRedeemable()) {
revert BondNotRedeemable();
}
if (amount == 0) {
revert ZeroAmount();
}
uint256 totalAmount = balanceOf(msg.sender);
if (amount > totalAmount) {
revert InsufficientBalance();
}
totalZENORedeemed += amount;
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, amount); // @audit-issue amount
}

Issues with This Implementation:

  • Incorrect Pricing Model – Users are paying amount * price in USDC but only receiving amount USDC upon redemption, meaning they are effectively paying a premium instead of receiving a discounted bond.

  • No Maturity Value Adjustment – The function does not adjust for the intended increased value upon redemption. The zero-bond logic is entirely missing.

  • Decimal Issues – The 18-decimal ZENO token and 6-decimal USDC further exacerbate the problem.

Impact

  • Users lose money when purchasing ZENO because they are effectively paying more than they receive.

  • The zero-bond logic is completely broken, making the system unusable as intended.

  • The contract fails to reflect the promised discounted purchase and maturity payout model.

Tools Used

N/A

Recommendations

  • Implement a proper pricing mechanism in the redeem(...) function to ensure that ZENO is redeemed at its maturity value rather than a 1:1 rate.

  • Adjust calculations to properly account for decimal mismatches between ZENO and USDC.

  • Introduce a time-based maturity scaling mechanism to ensure ZENO holders receive the expected nominal value upon redemption.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

ZENO.sol implements fixed 1:1 redemption with USDC regardless of auction purchase price, breaking zero-coupon bond economics and causing user funds to be permanently lost

Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments

Auction.sol's buy() function multiplies ZENO amount (18 decimals) by price (6 decimals) without normalization, causing users to pay 1 trillion times the intended USDC amount

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.