Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Token Decimal Mismatch in the ZENO Token Redemption Mechanism will Lead to Inaccurate USDC Payouts

victortheoracle

Summary

The ZENO token contract enables users to redeem their tokens for USDC on a 1:1 basis. However, a critical issue arises because the contract inherits the standard ERC20 implementation, which defaults to 18 decimals, while USDC typically operates with 6 decimals. This discrepancy means that the redemption process could either transfer vastly too many or too few USDC units relative to the ZENO token amount, causing significant financial inaccuracies.

Vulnerability Details

The redemption functions in the ZENO contract—redeem and redeemAll—both call:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/zeno/ZENO.sol#L62

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/zeno/ZENO.sol#L73

USDC.safeTransfer(msg.sender, amount);

Here, the amount parameter corresponds directly to the ZENO token amount, which by default uses 18 decimals as per OpenZeppelin’s ERC20 implementation. In contrast, USDC usually uses 6 decimals. This lack of conversion or explicit handling means that if a user redeems, say, 1 ZENO token (1e18 units in ERC20 terms), the contract will attempt to transfer 1e18 USDC units. In standard USDC terms, this would represent 1e12 USDC dollars—a severe miscalculation.

Additionally, there is no conversion factor or override of the decimals() function in the ZENO contract to align its unit scale with USDC if the intention was for a 1:1 conversion. This oversight leads to a fundamental mismatch between the token’s internal accounting and the actual value of USDC, risking either over-redemption or transaction failures due to insufficient USDC balance.

Impact

Users redeeming ZENO tokens may receive an incorrect amount of USDC that is off from what is intended and if the conversion is not handled properly, users might either lose value or trigger reverts due to insufficient USDC balance in the contract.

Tools Used

Manual code review

Recommendations

You have two options based on your intended design:

Option 1: Override the decimals() function in the ZENO contract to return 6 if the intention is for ZENO to operate on the same scale as USDC.
Option 2: Introduce a conversion factor in the redemption functions to properly scale the amount from 18 decimals to 6 decimals.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.