Incorrect redeem calculation due to decimal handling in `ZENO` token
Summary
Context: ZENO.sol#L46-L63, ZENO.sol#L65-L74
The redeem() and redeemAll() functions in the ZENO contract fail to properly account for the decimal mismatch between the ZENO token (which has 18 decimals) and USDC (which has 6 decimals). This results in incorrect amounts being transferred during the redemption process.
Vulnerability Details
The contract allows users to redeem their ZENO tokens for USDC, but the calculations for transferring USDC do not account for the fact that USDC has 6 decimals, while the ZENO token uses the default 18 decimals. As a result, the amount of USDC transferred is calculated based on the 18-decimal representation of ZENO tokens, which leads to errors in the amount transferred.
Impact
The mismatch in decimals causes the project to lose a significant amount of USDC because the redemption calculation transfers an incorrect amount, overestimating the USDC by a factor of 10^12. Redeeming 1 ZENO token could result in transferring 10^12 times more USDC than intended.
Tools Used
Manual review
Recommendations
Adjust the redemption calculation to account for the decimal difference between ZENO and USDC by scaling the amount transferred appropriately. Use a formula like:
This will ensure that the correct amount of USDC is transferred during redemption, avoiding project losses.
Lead Judging Commences
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.