Decimal Mismatch in ZENO::redeem() and ZENO::redeemAll() leads to users receiving more usdc tokens
Summary
The redeem() and redeemAll() functions allow users to exchange ZENO tokens (18 decimals) for USDC (6 decimals). However, these functions do not properly convert ZENO’s 18 decimal format into USDC’s 6 decimal format before transferring USDC to users.
This results in users receiving 10^12 times more USDC than intended.
Vulnerability Details
ZENO uses 18 decimals, meaning 1 ZENO = 10^18 wei.
USDC uses 6 decimals, meaning 1 USDC = 10^6 wei.
The function transfers amount of USDC directly without adjusting for decimal differences.
Users will receive 10^12 times more USDC than intended.
This results in catastrophic financial loss for the protocol.
Impact
Users receive 1,000,000,000,000x more USDC than expected per ZENO redeemed.
Tools Used
Manual Review
Recommendations
Convert ZENO amount from 18 decimals to 6 decimals before transfer.
Lead Judging Commences
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.