Core Contracts

Summary

The redeemAll function allows users to call it even if they have zero ZENO tokens. This can lead to a Denial-of-Service (DoS) attack where malicious users continuously call the function without actually redeeming any tokens, consuming gas and potentially congesting the contract execution.

Vulnerability Details

No Balance Check Before Execution

• The function retrieves the caller’s balance with balanceOf(msg.sender), but does not check if amount > 0 before executing further logic.

• If msg.sender has zero ZENO tokens, the function still executes unnecessary logic, including:

  • Checking isRedeemable()

  • Modifying totalZENORedeemed (by adding 0)

  • Calling _burn(msg.sender, 0)

  • Attempting a zero-value transfer with USDC.safeTransfer(msg.sender, 0)

• Potential DoS Attack Vector

  • Gas-Wasting Attack: Malicious users could repeatedly call redeemAll() with zero balance, forcing legitimate transactions to compete for gas.

  • Unnecessary State Updates: Even though no ZENO tokens are burned or transferred, the function still executes redundant computations and state changes.

Impact

Denial-of-Service (DoS) Attack:

• If multiple users spam transactions with zero balance, this could congest execution and increase gas fees for legitimate users.

• Gas Inefficiency:

  • Users calling this function without a balance still waste gas, leading to poor user experience.

• Unnecessary Function Calls:

  • Redundant calls to _burn() and safeTransfer() increase contract execution time without achieving anything meaningful.

Tools Used

Manual Review

Recommendations

Add a Balance Check at the Start

• Prevent execution if the caller has zero ZENO tokens: Add a Balance Check at the Start