QA Report

[code423n4]

Typo

"can can" should be "can".

Tokens/ZcToken.sol Creator/ZcToken.sol 127:

        // some 5095 tokens may have custody of underlying and can can just burn PTs and transfer underlying out, while others rely on external custody

Unused return values can be removed

Creator/VaultTracker.sol VaultTracker/VaultTracker.sol

143-146:
  function matureVault(uint256 c) external authorized(admin) returns (bool) {
    maturityRate = c;
    return true;
  }

But the return value of matureVault() is not used.

Marketplace/MarketPlace.sol

101-102:
    // NOTE we don't check the return of this simple operation
    IVaultTracker(market.vaultTracker).matureVault(exchangeRate);

Suggestion: Remove the return line from the function.

ZcToken mint() unneccessary check

When mintZcTokenAddingNotional() is called, the return value of mint() in ZcToken is checked.

Marketplace\MarketPlace.sol

118:    if (!IZcToken(market.zcToken).mint(t, a)) { revert Exception(28, 0, 0, address(0), address(0)); }
249:    if (!IZcToken(market.zcToken).mint(z, a)) { revert Exception(28, 0, 0, address(0), address(0)); }
287:    if (!IZcToken(market.zcToken).mint(t, a)) { revert Exception(28, 0, 0, address(0), address(0)); }

However, in ZcToken.sol: Tokens\ZcToken.sol

    function mint(address t, uint256 a) external onlyAdmin(address(redeemer)) returns (bool) {
        _mint(t, a);
        return true;
    }

Which calls the following: Creator\Erc20.sol

    function _mint(address to, uint256 amount) internal virtual {
        totalSupply += amount;

        // Cannot overflow because the sum of all user
        // balances can't exceed the max uint256 value.
        unchecked {
            balanceOf[to] += amount;
        }

        emit Transfer(address(0), to, amount);
    }

The only exception is overflow: totalSupply += amount.

The check for return value of mint is unneccessary.

Suggestion: Just call mint()directly:

    IZcToken(market.zcToken).mint(t, a);