Submission Details
Severity:
ZENO redemption transfers dust amounts of USDC due to decimal missmatch
Summary
In RAAC, users can participate in a Dutch type auction to purchase ZENO bonds. They pay less than 1 USD worth of USDC so later they redeem the ZENO at maturity and realize a profit.
The issue is that when buying ZENO tokens, a user gets minted, for example, 10 tokens. However, upon redemption, these 10 tokens are burned, and only 10 wei of USDC is transferred.
Vulnerability Details
function redeem(uint amount) external nonReentrant { //user redeems 10 tokens
if (!isRedeemable()) {
revert BondNotRedeemable();
}
if (amount == 0) {
revert ZeroAmount();
}
uint256 totalAmount = balanceOf(msg.sender);
if (amount > totalAmount) {
revert InsufficientBalance();
}
totalZENORedeemed += amount;
_burn(msg.sender, amount); //here 10 tokens get burned from the user
USDC.safeTransfer(msg.sender, amount); // 10 amount of USDC gets transfered which is dust
}
Impact
Users experience loss of funds due to decimals missmatch.
Tools Used
Manual review
Recommendations
USDC.safeTransfer(msg.sender, amount*1e6)
Multiply by 1e6 in order to get the correct amount.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.