Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Code Duplication in Redeem Functions Increases Risk of Bugs

princekay

Description

The contract currently maintains two nearly identical redemption functions (redeem and redeemAll) with duplicated logic. This redundancy increases the maintenance burden and creates a higher risk of inconsistencies when updates are needed.

Affected code

function redeem(uint amount) external nonReentrant {

if (!isRedeemable()) {

revert BondNotRedeemable();

}

if (amount == 0) {

revert ZeroAmount();

}

uint256 totalAmount = balanceOf(msg.sender);

if (amount > totalAmount) {

revert InsufficientBalance();

}

totalZENORedeemed += amount;

_burn(msg.sender, amount);

USDC.safeTransfer(msg.sender, amount);

}

function redeemAll() external nonReentrant {

if (!isRedeemable()) {

revert BondNotRedeemable();

}

uint256 amount = balanceOf(msg.sender);

totalZENORedeemed += amount;

_burn(msg.sender, amount);

USDC.safeTransfer(msg.sender, amount);

}

Vulnerability details

The current implementation duplicates core redemption logic between two functions, creating unnecessary complexity and maintenance challenges. When updates are required, changes must be implemented in multiple places, increasing the risk of introducing inconsistencies. The functions also employ different validation patterns, which could lead to confusion and potential security issues during maintenance or auditing.

Tools Used

Manual Review

Recommended Mitigation Steps

The contract should consolidate the redemption logic into a single internal function that handles all core redemption operations. This would ensure consistent validation, error handling, and event emission across all redemption paths. The public functions can then serve as thin wrappers around this core functionality, each handling only its specific input validation. Here's the recommended implementation:

function _processRedemption(uint256 amount) internal {

require(isRedeemable(), "Bond not redeemable");

require(amount > 0, "Zero amount");

require(USDC.balanceOf(address(this)) >= amount, "Insufficient USDC");

totalZENORedeemed += amount;

_burn(msg.sender, amount);

USDC.safeTransfer(msg.sender, amount);

emit ZENORedeemed(msg.sender, amount);

}

function redeem(uint256 amount) external nonReentrant {

require(amount <= balanceOf(msg.sender), "Insufficient balance");

_processRedemption(amount);

}

function redeemAll() external nonReentrant {

_processRedemption(balanceOf(msg.sender));

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.