The ZENO contract burns ZENO tokens before confirming sufficient USDC balance for redemption, risking user losses if the contract runs out of USDC. This high-impact, high-likelihood vulnerability could leave users without their redeemed value, even after their ZENO tokens are destroyed, due to a failed USDC transfer.
In the redeem function, ZENO tokens are burned before checking the contract’s USDC balance. For example:
The contract holds 1000 USDC but has 2000 ZENO outstanding.
User A redeems 1000 ZENO, receiving 1000 USDC successfully.
User B attempts to redeem 1000 ZENO, but with no USDC left, their tokens are burned, and the USDC transfer fails.
This leaves User B with no ZENO and no USDC, resulting in a total loss.
Users face the risk of losing their entire ZENO position without receiving USDC if the contract’s balance is insufficient. This high-likelihood scenario could occur during normal usage, especially under high redemption demand, leading to significant financial losses and reputational damage to the contract.
Manual Code Review: To confirm the burn-before-check sequence.
Add a balance check before burning ZENO tokens to ensure sufficient USDC is available:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.