Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

A user could steal funds by redeeming ZENO tokens

frndz0ne

Summary

Once the MATURITY_DATE has been reached, users could redeem their ZENO tokens in exchange for USDC that they initially deposited through Auction::buy. However, the redeem function uses the amount of burnt ZENO token as an amount of USDC to transfer back to the user.

Since ZENO is a 18-decimal token and USDC is a 6-decimal token, the user can redeem ZENO and get an extremely large amount of USDC - much more that they initially deposited.

Vulnerability Details

Here is the ZENO::redeem function:

function redeem(uint amount) external nonReentrant {
if (!isRedeemable()) {
revert BondNotRedeemable();
}
if (amount == 0) {
revert ZeroAmount();
}
uint256 totalAmount = balanceOf(msg.sender);
if (amount > totalAmount) {
revert InsufficientBalance();
}
totalZENORedeemed += amount;
@> _burn(msg.sender, amount);
@> USDC.safeTransfer(msg.sender, amount);
}

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/zeno/ZENO.sol#L46

We can see that the amount of burnt ZENO is also the amount to transfer USDC back to the user.
The user receives 18-decimal amount in terms of 6-decimal token.

Impact

A user could receive an extremely large amount of USDC.

Tools Used

Recommendations

Configure a pricing mechanism for redeeming ZENO. The decimals of the amount for sending USDC should correspond to the decimals of the USDC token.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!