Decimals is not handled correctly while buying zeno tokens in ZENO auction.
Summary
The Auction::buy function allows users to purchase Zeno tokens in exchange for USDC. However, an incorrect handling of token decimals results in users paying significantly more USDC than intended.
Vulnerability Details
-
The
buyfunction takes an amount of Zeno tokens (e.g.,100e18). -
Zeno follows the ERC-20 standard with 18 decimals.
-
The price per Zeno token is determined via the
getPricefunction, which returns a value in 6 decimals (as seen in the test file). -
When computing the total USDC cost:
Cost = 100e18 * 2e6 = 200e24 , (price Assumed is 2e6)
Since USDC has only 6 decimals, the user ends up paying 1e12 times more USDC than necessary.
Impact
Users are required to pay an excessively high amount of USDC due to incorrect decimal handling, leading to severe overpayment and potential loss of funds.
Tools Used
Manual review
Recommendations
Properly normalize USDC decimals when computing the price.
Lead Judging Commences
Auction.sol's buy() function multiplies ZENO amount (18 decimals) by price (6 decimals) without normalization, causing users to pay 1 trillion times the intended USDC amount
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.