Core Contracts

Summary

In the Auction contract's buy() function, there is a critical decimal precision issue when calculating the cost of ZENO bonds. The function fails to normalize the decimals between ZENO tokens (18 decimals) and USDC price, resulting in users being charged significantly more USDC than intended for their ZENO bond purchases.

Vulnerability Details

The vulnerability stems from the decimal mismatch in the cost calculation within the buy() function. Here's a detailed breakdown:

The ZENO token inherits from ERC20, which by default uses 18 decimals. This means when a user wants to purchase an amount of ZENO bonds, the amount parameter is expressed in 18 decimal precision.

The getPrice() function returns the price in USDC terms (which is typically 6 decimals). When this price is multiplied directly with the amount (in 18 decimals), it creates a massive overvaluation:

For example:

• If price = 1 USDC (1_000_000)

• And user wants to buy 1 ZENO (1e18)

• The cost calculation becomes: 1_000_000 * 1e18

• This results in a drastically inflated cost instead of the intended 1 USDC

This issue is particularly severe because the contract directly interacts with the business address, transferring the incorrectly calculated USDC amount and minting the correct amount of ZENO tokens.

PoC

1. Alice wants to buy 1 ZENO token when the price is 1 USDC

2. Alice calls buy(1000000000000000000) (1 ZENO with 18 decimals)

3. getPrice() returns 1000000 (1 USDC with 6 decimals)

4. Cost calculation: 1000000 * 1000000000000000000

5. Alice is charged an astronomically high amount of USDC instead of just 1 USDC

6. The contract mints 1 ZENO (correct amount) to Alice

Impact

The vulnerability results in users being overcharged by several orders of magnitude when purchasing ZENO bonds, making the protocol essentially unusable and potentially causing significant financial losses to users who interact with it.

Tools Used

Manual code review

Recommendations

Normalize the decimals in the cost calculation: