Core Contracts

Summary

The Auction and ZENO contracts suffer from decimals mismatch issue due to the difference in decimal scales between USDC (6 decimals) and ZENO (18 decimals). This mismatch causes significant miscalculations in both the purchase (buy) and redemption (redeem, redeemAll) processes, leading to incorrect cost calculations and overpayments.

Vulnerability Details

1. Decimals Mismatch :

   • USDC uses 6 decimals, while ZENO defaults to 18 decimals (standard for ERC20 tokens).

   • The Auction contract calculates the cost of purchasing ZENO tokens as price * amount without scaling the result to match USDC's decimal scale.

     uint256 cost = price * amount;

   • The ZENO contract transfers USDC directly using the amount parameter (expressed in ZENO wei), resulting in users receiving 10^12 times more USDC than intended.

2. Lack of Scaling Logic :

   • Neither the Auction nor the ZENO contract accounts for the difference in decimal scales when performing calculations or transfers involving USDC and ZENO.

Examples

• In Auction Contract :

  • If price = 1e6 (1 USDC per ZENO) and amount = 1e18 (1 ZENO token), the calculated cost would be:

    ​

    cost = 1e6 \* 1e18 = 1e24 USDC units

• In ZENO Contract :

  • Redeeming 1 ZENO (10^18 ZENO wei) should yield 1 USDC (10^6 USDC wei), assuming a 1:1 redemption rate.

  • Current code transfers 10^18 USDC wei = 10^12 USDC, which is catastrophically wrong.

Impact

1. Incorrect Pricing in Auction

   • Users are charged vastly more or less than intended during the auction process.

2. Overpayment in Redemption :

   • Users receive far more USDC than intended during redemption, potentially draining the contract of its USDC balance.

Tools Used

Manual Review

Recommendations

1. Introduce Scaling Logic :

   • Update the buy function in the Auction contract to scale the calculated cost to match USDC's decimal scale

   • Update the redeem and redeemAll functions in the ZENO contract to scale the redemption amount to match USDC's decimal scale