Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: high
Invalid

Missing USDC Balance Check Before Redemption

Summary

The ZENO contract burns ZENO tokens before confirming sufficient USDC balance for redemption, risking user losses if the contract runs out of USDC. This high-impact, high-likelihood vulnerability could leave users without their redeemed value, even after their ZENO tokens are destroyed, due to a failed USDC transfer.

Vulnerability Details

In the redeem function, ZENO tokens are burned before checking the contract’s USDC balance. For example:

The contract holds 1000 USDC but has 2000 ZENO outstanding.
User A redeems 1000 ZENO, receiving 1000 USDC successfully.
User B attempts to redeem 1000 ZENO, but with no USDC left, their tokens are burned, and the USDC transfer fails.
This leaves User B with no ZENO and no USDC, resulting in a total loss.

Impact

Users face the risk of losing their entire ZENO position without receiving USDC if the contract’s balance is insufficient. This high-likelihood scenario could occur during normal usage, especially under high redemption demand, leading to significant financial losses and reputational damage to the contract.

Tools Used

Manual Code Review: To confirm the burn-before-check sequence.

Recommendations

Add a balance check before burning ZENO tokens to ensure sufficient USDC is available:

function redeem(uint amount) external nonReentrant {
uint256 usdcAmount = amount / 1e12;
require(USDC.balanceOf(address(this)) >= usdcAmount, "Insufficient USDC balance");
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, usdcAmount);
}```
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.