Core Contracts

Summary

The ZENO contract suffers from a critical decimal mismatch between the ZENO token (18 decimals, inherited from ERC20) and USDC (6 decimals). The redeem function does not adjust for this difference, causing users to receive a tiny fraction of their expected USDC upon redemption. This high-likelihood issue could result in near-total loss of value for users, undermining the contract’s core functionality.

Vulnerability Details

The ZENO token operates with 18 decimals per the ERC20 standard, while USDC uses 6 decimals. In the redeem function, no conversion is applied when transferring USDC to the user. For example:

A user deposits 1000 USDC (1000 * 10^6 = 1,000,000,000 units).
They receive 1000 ZENO (1000 * 10^18 units).
Upon redeeming 1000 ZENO, they receive 1000 * 10^6 USDC units due to the mismatch.
This results in a 99.9999% value loss, as the correct amount should be 1000 USDC adjusted for the decimal difference.

Impact

The impact is severe, with users losing 99.9999% of their redeemed value due to the decimal mismatch. This not only causes significant financial loss but also erodes trust in the ZENO contract, potentially rendering it unusable for its intended purpose. Given the high likelihood of occurrence during normal operation, this vulnerability poses an immediate threat to all users.

Tools Used

Manual Code Review: Identifying the lack of decimal adjustment in the redeem function.

Recommendations

Modify the redeem function to adjust for the decimal difference by dividing the ZENO amount by 10^12 (the difference between 18 and 6 decimals):