Decimal Handling Issue in redeem Function of ZENO Contract
Summary
The redeem function in the ZENO contract transfers USDC to the user without converting the decimals between ZENO (18 decimals) and USDC (6 decimals). This can result in incorrect transfer amounts when redeeming ZENO tokens.
Vulnerability Details
In the redeem and redeemAll functions, the contract transfers an amount of USDC that is directly equal to the number of ZENO tokens redeemed. However, ZENO tokens have 18 decimals, while USDC has only 6 decimals. This discrepancy in decimal places could lead to a mismatch in the expected transfer amount.
Impact
Users may receive much more or much less USDC than expected, potentially leading to incorrect behavior or errors.
Tools Used
Manual review
Recommendations
To fix this issue, you should adjust the redeem and redeemAll functions to convert the ZENO token amount into the correct USDC amount, considering the difference in decimal places.
Lead Judging Commences
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.