Submission Details
Severity:
ZENO.sol, redeem() and redeemAll() does not take decimals to account and transfer usdc based on ZENO's decimals, letting anyone redeem more USDC than they are entitiled.
Summary
The ZENO contract lets users redeem USDC after it matures. The functions transfer USDC equilvalent to the amount of ZENO burned. However, since USDC has 6 decimals and ZENO has 18, (decimals is not overridden, the default decimals of openzeppelin's ERC20 is 18), for 1 ZENO burned, users will receive 1e18 of USDC, ~1000000000000 USDC.
Vulnerability Details
In redeem() and redeemAll(),
function redeem(uint amount) external nonReentrant {
....
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, amount);
}
function redeemAll() external nonReentrant {
....
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, amount);
}
function decimals() public view virtual returns (uint8) {
return 18;
}
Impact
This lets anyone gain 1e12 more USDC per 1 of ZENO, effectively draining the contract
Tools Used
Manual Review
Recommendations
Override the decimals() of ZENO and make it 6, or account for decimals before transferring USDC.
function redeemAll() external nonReentrant {
....
_burn(msg.sender, amount);
++ uint256 usdcAmount = (amount * USDC.decimals()) / decimals()
-- USDC.safeTransfer(msg.sender, amount);
++ USDC.safeTransfer(msg.sender, usdcAmount);
}
Updates
Lead Judging Commences
inallhonesty 5 months ago
Submission Judgement Published Assigned finding tags:
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.