Submission Details
Severity:
Decimals mismatch between USDC and ZENO
Summary
The default decimal of `ZENO` is 18. But USDC has 6 decimals and 18 decimals. This mismatch creates potential vulnerabilities.
Vulnerability Details
The code hasn't handled the decimal conversion problem. So keeping the same decimals between `USDC` and `ZENO` is necessary. But the ZENO contracts haven't overridden the corresponding function.
function mint(address to, uint256 amount) external onlyOwner {
if (amount == 0) {
revert ZeroAmount();
}
_mint(to, amount);
totalZENOMinted += amount;
}
function redeem(uint amount) external nonReentrant {
if (!isRedeemable()) {
revert BondNotRedeemable();
}
if (amount == 0) {
revert ZeroAmount();
}
uint256 totalAmount = balanceOf(msg.sender);
if (amount > totalAmount) {
revert InsufficientBalance();
}
totalZENORedeemed += amount;
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, amount);
}
Impact
Tools Used
Manual
Recommendations
Override the function of the decimal and associate it with a specific USDC.
Updates
Lead Judging Commences
inallhonesty 2 months ago
Submission Judgement Published Assigned finding tags:
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.