Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Decimal Discrepancy in Zeno leads to overvaluing of ZENO-USDC

oxaudron

Summary

In the ZENO contract, minting is assigned to onlyOwner. However the redeem functions - redeem , redeemAll can be called by users who have ZENO balance. However there is an issue which is not taken into account in here that ZENO is ERC20 which has 18 decimals, however USDC has 6 decimals. So if a user wants to redeem 1 ZENO, he will receive 1e12 USDC tokens which is equal to $1000 billions which is really concerning

Vulnerability Details

User can redeem the of ZENO token based on amount parameters. These are the functions :

function redeem(uint amount) external nonReentrant {

if (!isRedeemable()) {

revert BondNotRedeemable();

}

if (amount == 0) {

revert ZeroAmount();

}

uint256 totalAmount = balanceOf(msg.sender);

if (amount > totalAmount) {

revert InsufficientBalance();

}

totalZENORedeemed += amount;

_burn(msg.sender, amount);

USDC.safeTransfer(msg.sender, amount);

}

function redeemAll() external nonReentrant {

if (!isRedeemable()) {

revert BondNotRedeemable();

}

uint256 amount = balanceOf(msg.sender);

totalZENORedeemed += amount;

_burn(msg.sender, amount);

USDC.safeTransfer(msg.sender, amount);

}

Since ZENO inherits from ERC20, which has fixed decimal point of 18. However USDC has that of 6. This will create high discrepancy in the system.

Impact

Very high overvaluing of ZENO-USDC pair, where 1 ZENO = 1e12 USDC

Tools Used

Manual Review

Recommendations

Change the decimals by overriding it in ZENO :

function decimals() public override view returns (uint8) {

return usdc.decimals();

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.