Decimal Precision Mismatch in ZENO Token Redemption Leads to Incorrect USDC Transfer Amounts
Summary:
The ZENO contract's redeem() function fails to handle decimal precision differences between ZENO (18 decimals) and USDC (6 decimals) tokens, potentially causing transfers of 1000x more USDC than intended or failed redemptions.
Vulnerability Details:
In the ZENO contract:
Example 1: Redeeming 1.0 ZENO
amount = 1e18 (1 ZENO)
Current transfer: 1e18 USDC (1 trillion USDC)
Expected transfer: 1e6 USDC (1 USDC)
Example 2: Redeeming 100 ZENO
amount = 100e18 (100 ZENO)
Current transfer: 100e18 USDC (100 trillion USDC)
Expected transfer: 100e6 USDC (100 USDC)
Impact:
Failed redemptions due to insufficient USDC balance
Potential for massive unintended USDC transfers
Broken redemption mechanism
Users unable to redeem their ZENO tokens
Protocol's USDC reserves at risk if sufficient balance exists
Tools Used:
Manual code review
Recommendations:
Add decimal adjustment when transferring USDC
Lead Judging Commences
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.