Core Contracts

Summary

Users do not redeem all of USDC tokens sent to the Auction.sol contract when they acquire ZENO bonds. To buy bonds, user are expected to pay the cost of a bond and the amount of bond to acquire is minted. If a bond cost 99 USDC, users pays 99 USDC for a bond and then 1 ZENO bond is minted. The USDC eventually goes to the businessAddress.

When the redeem period reaches, and the businessAddress supposedly refunded the zeno contract by then, users who invokes the redeem(uint256 amount) or redeemAll functions cannot redeem all of their USDC tokens due to the zeno contract failure to estimate the exact amount of USDC users actually sent their the Auction contract.

Vulnerability Details

1. User bid for 5 ZENO bonds at the price of 99 USDC - (5 * 99) = 495USDC

2. User waits until Maturity period on the ZENO contract

3. BusinessAddress returns all 495 USDC to

4. User calls redeemAll function in the ZENO contract

5. 5 ZENO bonds will be burnt and 5 USDC sent to user

6. User loses 490USDC due to the flaw to estimate the exact cost user acquired a ZENO bond

After user redeem way lower than their expectation, the remaining amount cannot be withdraw because they are no other ways to withdraw these tokens. The documentation expects users to redeem all USDC:\

This is the POC -

Integrate foundry into the project and install the following deps:

Impact

1. Users cannot redeem all USDC bidded into the contract.

2. Possible stuck of USDC in ZENO contract after businessAddress returns all USDC token to ZENO contract.

Tools Used

Manual Review, Foundry

Recommendation

Design the ZENO contract to have a state variable that tracks the accurate amount user paid and price of bond when acquiring the bond through the Auction. This information could then be used to estimate the amount of USDC tokens to trasfer to user. This way users won't redeem way lesser than their expected USDC tokens.