Missing Zero-Balance Check in redeemAll() Function Leading to Gas Inefficiency
Summary
The redeemAll() function in the smart contract lacks a validation check to ensure that the amount being redeemed is greater than zero before executing the _burn() and USDC.safeTransfer() operations. This oversight could result in unnecessary gas consumption and potential misuse of the function.
Vulnerability Details
The redeemAll() function allows users to redeem their tokens by burning them and transferring an equivalent amount of USDC to their address. However, the function does not verify whether the amount (i.e., the user's token balance) is greater than zero before proceeding with the following operations:
Updating the
totalZENORedeemedstate variable.Burning the user's tokens via
_burn().Transferring USDC to the user via
USDC.safeTransfer().
If a user with a balance of zero calls this function:
The
totalZENORedeemedstate variable will remain unchanged.The
_burn()function will attempt to burn zero tokens, which has no effect but still consumes gas.The
USDC.safeTransfer()function will attempt to transfer zero tokens, which also consumes gas unnecessarily.
The absence of a check to ensure that amount > 0 before proceeding with the redemption logic.
Impact
Users calling the function with a zero balance will waste gas on operations that have no meaningful effect.
Tools Used
Manual Code Review
Recommendations
A simple validation check should be added to ensure that the amount is greater than zero before proceeding with the redemption logic.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.