Wrong calculation in ZENO::redeem function leads to incorrect redemption amounts
Summary
The ZENO contract contains a critical vulnerability in its redeem and redeemAll functions where token redemption calculations fail to account for decimal scaling between ZENO (18 decimals) and USDC (6 decimals). This mismatch leads to the contract attempting to transfer 1e12 times more USDC than intended, causing all redemptions to fail due to insufficient USDC balance.
Vulnerability Details
In both redeem and redeemAll functions, ZENO tokens are burned and USDC is transferred without accounting for decimal differences:
When a user attempts to redeem 1 ZENO token:
Input amount = 1e18 (1 ZENO in base units)
Contract burns 1e18 ZENO (correct)
Contract attempts to transfer 1e18 USDC (should be 1e6)
Transfer fails as contract has insufficient USDC
Impact
Complete denial of service for token redemptions as the USDC transfer will always fail
All redemption functionality is blocked, preventing users from claiming their USDC
Tools Used
Manual Review
Recommendations
Fix the decimal scaling in both functions:
Lead Judging Commences
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.