Submission Details
Severity:
redeem() & redeemAll() May Drain More USDC Than Minted
Summary
The contract does not track how much USDC it has received in exchange for minting ZENO tokens.
If totalZENOMinted < totalZENORedeemed, it could drain excess USDC from the contract.
Example attack:
Owner mints 1,000 ZENO but sends 10 USDC to the contract.
Users can still redeem all ZENO, withdrawing 1,000 USDC instead of 10.
Vulnerability Details
function redeem(uint amount) external nonReentrant {
if (!isRedeemable()) {
revert BondNotRedeemable();
}
if (amount == 0) {
revert ZeroAmount();
}
uint256 totalAmount = balanceOf(msg.sender);
if (amount > totalAmount) {
revert InsufficientBalance();
}
totalZENORedeemed += amount;
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, amount);
}
function redeemAll() external nonReentrant {
if (!isRedeemable()) {
revert BondNotRedeemable();
}
uint256 amount = balanceOf(msg.sender);
totalZENORedeemed += amount;
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, amount);
}
function getDetails() external view returns (ZENODetails memory) {
return ZENODetails(address(this), MATURITY_DATE, name(), symbol());
}
}
Impact
Tools Used
Recommendations
if (totalZENORedeemed + amount > totalZENOMinted) { revert InsufficientUSDC(); }
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.