Description

The USDz contract has internal helper functions for minting and burning USDz tokens, _mintUSDz and _burnUSDz:

function _mintUSDz(address _receiver, uint256 _amount) internal {
    _mint(_receiver, _amount);
    totalPooledSPCT = totalPooledSPCT.add(_amount);
    emit Mint(msg.sender, _amount);
    emit Transfer(address(0), _receiver, _amount);
}

function _burnUSDz(address _account, uint256 _amount) internal {
    _burn(_account, _amount);

    totalPooledSPCT = totalPooledSPCT.sub(_amount);
    emit Burn(msg.sender, _amount);
    emit Transfer(_account, address(0), _amount);
}

These functions call the _mint or _burn functions in the OpenZeppelin ERC20 implementation, record the pooled amount of SPCT tokens, and emit the events Burn and Transfer.

However, the _mint and _burn functions also emit the Transfer event via calls to the _update function:

function _mint(address account, uint256 value) internal {
    // ...
    _update(address(0), account, value);
}

function _burn(address account, uint256 value) internal {
    // ...
    _update(account, address(0), value);
}

function _update(address from, address to, uint256 value) internal virtual {
    // ...
    emit Transfer(from, to, value);
}

As a result, the identical Transfer event would be emitted twice when USDz tokens are minted or burnt.

Impact

Although this issue will not affect the business logic of this contract, it is possible that an off-chain infrastructure depending on this event fails to properly track the minting and burning of USDz tokens.

Recommendations

Consider removing the code that emits the Transfer event, as it is already being emitted.

Remediation

This issue has been acknowledged by Anzen Group Ltd., and a fix was implemented in commit 66273edb↗.