Core Contracts

Summary

The RAAC Auction Contract does not impose any per-user purchase limit. Consequently, a single user can buy all the available ZENO tokens in one transaction, potentially monopolizing the auction and undermining fair token distribution.

Vulnerability Details

The buy(uint256 amount) function allows users to purchase ZENO tokens in exchange for USDC during the auction. The only limitation is that the purchase amount must not exceed state.totalRemaining. There is no restriction on how much a single user can buy if sufficient tokens remain.

Proof-of-Concept (POC)

1. Initial Conditions:

   • Total allocation: state.totalAllocated = 1,000,000 tokens

   • Remaining tokens: state.totalRemaining = 1,000,000 tokens

2. User Action:

   • A user calls buy(1,000,000).

   • The require statement passes since 1,000,000 <= state.totalRemaining.

   • The cost is calculated and USDC is transferred from the user to the business address.

   • The user's bid amount increases by 1,000,000 tokens, and state.totalRemaining is reduced to 0.

   • The contract mints and transfers 1,000,000 ZENO tokens to the user.

3. Outcome:
   The single user acquires all tokens available in the auction, effectively monopolizing the entire allocation.

Impact

• One user controlling all tokens can lead to market manipulation and loss of decentralization.

• The absence of per-user limits undermines the auction's fairness, deterring broader participation and eroding stakeholder confidence.

Tools Used

Manual Review

Recommendations

Implement a per-user purchase limit in the buy function to prevent a single user from buying all the tokens, ensuring fair distribution during the auction.