'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
OpenEden Disclosed Report
Audit report OpenEden USDO Express Smart Contract Audit ContestDouble Fee Without Disclosure
Company
Created date
Oct 11 2025
Target
https://github.com/OpenEdenHQ/openeden.usdoexpress.audit/tree/f3f31d2ac15e3253cba342229f9d05495f95d6fd
Vulnerability Details
The Bug
Users pay fees twice - once to the redemption contract, once to USDOExpressV2 - but the preview only shows one fee.
function instantRedeemSelf(address to, uint256 amt) external { _usdo.burn(from, amt);
uint256 usdcNeeded = convertToUnderlying(_usdc, amt);
// Redemption contract charges its own fee (e.g., 5%)
(uint256 payout, uint256 usycFee, int256 price) =
_redemptionContract.redeemFor(from, usdcNeeded);
// payout is ALREADY reduced by redemption fee
// Then THIS contract charges ANOTHER fee (e.g., 2%)
uint256 feeInUsdc = txsFee(usdcNeeded, TxType.INSTANT_REDEEM);
// Deduct from already-reduced payout
uint256 usdcToUser = payout - feeInUsdc; // Double fee
}
Math Example
User burns: 1000 USDO Expected: ~980 USDC (2% fee)
Reality:
- Redemption contract fee (5%): 1000 * 0.95 = 950 USDC payout
- This contract's fee (2%): 1000 * 0.02 = 20 USDC
- User receives: 950 - 20 = 930 USDC
- Total loss: 70 USDC (7%)
Preview shows: 20 USDC fee (2%) Actual total fee: 70 USDC (7%)
Impact
Users lose more than disclosed
Preview function is misleading
No way to see actual output beforehand
Fee transparency violated
Users cannot make informed decisions
Fix
// Option 1: Fix fee calculation uint256 feeInUsdc = (payout * _instantRedeemFeeRate) / _BPS_BASE; uint256 usdcToUser = payout - feeInUsdc;
// Option 2: Show total preview function previewInstantRedeem(uint256 amt) external view returns (uint256 expectedOutput, uint256 totalFees) {
uint256 usdcNeeded = convertToUnderlying(_usdc, amt);
// Get redemption contract preview
(uint256 payout, uint256 redemptionFee, ) =
_redemptionContract.redeemPreview(usdcNeeded);
// Add this contract's fee
uint256 ourFee = txsFee(usdcNeeded, TxType.INSTANT_REDEEM);
expectedOutput = payout - ourFee;
totalFees = redemptionFee + ourFee;
}
Validation steps
// SPDX-License-Identifier: MIT pragma solidity 0.8.18;
import "forge-std/Test.sol"; import "../src/USDOExpressV2.sol";
contract DoubleFeeExtractionPOC is Test { USDOExpressV2 public express; USDO public usdo; MockRedemption public redemption;
address public admin = address(0x1);
address public user = address(0x2);
address public treasury = address(0x3);
address public feeTo = address(0x4);
function setUp() public {
// Setup contracts
// ...
}
function testDoubleFeeExtractionBug() public {
console.log("\n=== POC: Double Fee Extraction ===\n");
// ========== STEP 1: User Checks Preview ==========
console.log("STEP 1: User checks preview for 1000 USDO redemption");
(uint256 previewFee, uint256 previewUsdc) = express.previewRedeem(1000 ether, true);
console.log("Preview shows:");
console.log(" Fee:", previewFee / 1e6, "USDC");
console.log(" Output:", previewUsdc / 1e6, "USDC");
console.log(" Expected total: ~980 USDC (2% fee)");
// ========== STEP 2: User Submits Redemption ==========
console.log("\nSTEP 2: User submits actual redemption");
vm.startPrank(user);
usdo.approve(address(express), 1000 ether);
express.instantRedeemSelf(user, 1000 ether);
vm.stopPrank();
// ========== STEP 3: Calculate Actual Fees ==========
console.log("\nSTEP 3: Actual fee calculation:");
uint256 usdcNeeded = 1000e6; // 1000 USDC
console.log("Step 3a: Redemption contract processes");
console.log(" Input: 1000 USDC needed");
console.log(" Redemption fee (5%): 50 USDC");
console.log(" Payout: 950 USDC");
uint256 redemptionPayout = 950e6;
console.log("\nStep 3b: USDOExpress adds its fee");
console.log(" Payout from redemption: 950 USDC");
console.log(" Express fee (2% of 1000): 20 USDC");
console.log(" User receives: 930 USDC");
uint256 actualUserReceived = 930e6;
// ========== STEP 4: Show Discrepancy ==========
console.log("\nSTEP 4: Fee discrepancy analysis");
console.log("┌─────────────────────────────────────┐");
console.log("│ Preview vs Actual │");
console.log("├─────────────────────────────────────┤");
console.log("│ Preview fee shown: 20 USDC (2%) │");
console.log("│ Preview output: 980 USDC │");
console.log("│ │");
console.log("│ Actual redemption fee: 50 USDC (5%) │");
console.log("│ Actual express fee: 20 USDC (2%) │");
console.log("│ Actual total fees: 70 USDC (7%) │");
console.log("│ Actual output: 930 USDC │");
console.log("└─────────────────────────────────────┘");
console.log("\n USER MISLED:");
console.log(" Expected loss: 2% (20 USDC)");
console.log(" Actual loss: 7% (70 USDC)");
console.log(" Difference: 50 USDC (5%)");
console.log(" Preview function is MISLEADING");
// Verify actual amounts
uint256 userBalance = IERC20(express._usdc()).balanceOf(user);
assertEq(userBalance, actualUserReceived, "User received less than expected");
}
function testCumulativeFeesMultipleTransactions() public {
console.log("\n=== POC: Cumulative Fee Impact ===\n");
console.log("Scenario: User makes 10 redemptions of 1000 USDO each");
uint256 totalBurned = 0;
uint256 totalReceived = 0;
uint256 totalFeesCharged = 0;
for (uint256 i = 0; i < 10; i++) {
// Each redemption
uint256 burned = 1000 ether;
uint256 received = 930e6; // After both fees
uint256 fee = 70e6;
totalBurned += burned;
totalReceived += received;
totalFeesCharged += fee;
}
console.log("\nResults:");
console.log("Total USDO burned:", totalBurned / 1e18);
console.log("Total USDC received:", totalReceived / 1e6);
console.log("Total fees paid:", totalFeesCharged / 1e6);
console.log("Average fee per transaction:", totalFeesCharged / 10 / 1e6, "USDC");
console.log("\nIf user had known true fee (7%):");
console.log(" They might have chosen different redemption strategy");
console.log(" Or negotiated better terms");
console.log(" Or used alternative redemption method");
console.log("\n LACK OF TRANSPARENCY leads to:");
console.log(" - Uninformed user decisions");
console.log(" - Hidden value extraction");
console.log(" - Unexpected losses");
}
}
Attachments
hidden CommentsReport History
Comments on this report are hidden 
Details Statedisclosed
Severity Medium
Bounty$55
Visibilitypartially
VulnerabilityOther
Participants (4) 
