Submission Details
Severity:
Decimal mismatch in `redeem()` function leads to excessive USDC transfer
Summary
The redeem() function in ZENO contract transfers USDC without accounting for the decimal difference between ZENO (18 decimals) and USDC (6 decimals).
Vulnerability Details
The redeem() function directly uses the ZENO amount for USDC transfer:
function redeem(uint amount) external nonReentrant {
if (!isRedeemable()) {
revert BondNotRedeemable();
}
if (amount == 0) {
revert ZeroAmount();
}
uint256 totalAmount = balanceOf(msg.sender);
if (amount > totalAmount) {
revert InsufficientBalance();
}
totalZENORedeemed += amount;
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, amount);
}
But it's incorrect because ZENO has 18 decimals while USDC has 6 decimals.
Impact
Users can receive 1e12 times more USDC than intended when redeeming their ZENO tokens.
Recommendations
Adjust the USDC transfer amount by scaling down the ZENO amount by 12 decimals to match USDC's 6 decimal places.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.