Decimal Mismatch in Redemption Mechanism of ZENO Contract
Summary
The redeem and redeemAll functions in the ZENO contract burn ZENO tokens and transfer USDC on a 1:1 basis without adjusting for the difference in decimal places. Since ZENO uses 18 decimals and USDC typically uses 6 decimals, this discrepancy can lead to a severe over-redemption of USDC.
Vulnerability Details
In the redeem function, the following operations occur:
Here, the function uses the raw amount parameter for both burning ZENO tokens and transferring USDC. However, while ZENO tokens are implemented with 18 decimals, USDC is standardly implemented with 6 decimals. This means that if a user redeems an amount representing “1 ZENO” in human-readable terms (i.e., 1e18 units), the contract will attempt to transfer 1e18 USDC units. This represents a mismatch by a factor of 1e12, as 1 USDC (human value) is actually 1e6 units.
Impact
Due to the decimal mismatch, users could potentially redeem far more USDC than intended for each ZENO token burned, leading to an economic loss for the protocol. In a worst-case scenario, malicious actors could drain the USDC reserves from the contract by repeatedly exploiting the flawed redemption mechanism.
Tools Used
Manual Review
Recommended Mitigation
Modify the redeem and redeemAll functions to apply the proper conversion factor. Convert the amount before transferring USDC:
Lead Judging Commences
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.