Submission Details
Severity:
`ZENO.sol#redeem`: unable to redeem
Vulnerability Details
In ZENO.sol#redeem, it does not consider the decimals of ZENO and USDC.
/// @dev https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/zeno/ZENO.sol#L46
function redeem(uint amount) external nonReentrant {
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, amount);
}
function redeemAll() external nonReentrant {
// ...
uint256 amount = balanceOf(msg.sender);
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, amount);
}
Impact
A large amount of USDC can be withdrawn while only burning a small amount of ZENO tokens.
Tools Used
Manual.
Recommendations
Add scale factor to calculate the correct amount of USDC to redeem.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.