Lack of Support for ERC-20 Tokens Beyond USDC in Zeno
Summary
The protocol fails to support ERC-20 tokens other than USDC, despite explicitly stating in the scope section (Compatibilities) that it is designed to be compatible with multiple ERC20 tokens
Vulnerability Details
The current implementation of the Auction contract restricts all transactions to USDC, contradicting the stated compatibility with other ERC-20 tokens. Both the buy and redeem functions rely on the immutable usdc state variable for receiving and distributing funds, effectively preventing the use of any other token. This limitation contradicts the expected functionality as outlined in the protocol's scope.
Impact
This design flaw significantly limits participation in the auction system:
Excludes Non-USDC Holders: Users holding alternative ERC-20 tokens cannot engage in the auction unless they first convert their assets to USDC, introducing friction and additional costs.
Reduced Liquidity & Adoption: The restriction may deter potential participants, leading to decreased auction activity, lower liquidity, and reduced overall protocol adoption.
Inconsistency with Stated Functionality: The lack of multi-token support contradicts the protocol's advertised features, potentially harming its credibility and trust within the ecosystem.
Tools Used
Manual Review
Recommendations
Modify the contract to support multiple ERC-20 tokens by implementing a whitelisted token registry that allows users to transact with approved assets
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.