Submission Details
Severity:
Catastrophic Decimal Mismatch in `Auction::buy` Causes User Fund Drainage
Summary
The Auction::buy function fails to account for the 12-order-of-magnitude decimal mismatch between USDC (6 decimals) and ZENO (18 decimals). This creates a critical precision inversion:
When purchasing
amount=1ZENO atprice=1:Actual Transfer: 1e-6 USDC (1 microdollar)
Minted Value: 1e-18 ZENO
Subsequent
ZENO::redeemAlloperations only transfer 1e-18 USDC instead of the correct 1e-6 USDC.
Vulnerability Details
function buy(uint256 amount) external whenActive {
require(amount <= state.totalRemaining, "Not enough ZENO remaining");
uint256 price = getPrice();
uint256 cost = price * amount;
require(usdc.transferFrom(msg.sender, businessAddress, cost), "Transfer failed");
bidAmounts[msg.sender] += amount;
state.totalRemaining -= amount;
state.lastBidTime = block.timestamp;
state.lastBidder = msg.sender;
zeno.mint(msg.sender, amount); <==@found
emit ZENOPurchased(msg.sender, amount, price);
}
Impact
Incorrect transfers result in user fund loss.
Tools Used
Manual Review
Recommendations
Add precision conversion.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Auction.sol's buy() function multiplies ZENO amount (18 decimals) by price (6 decimals) without normalization, causing users to pay 1 trillion times the intended USDC amount
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.