USDC Decimals Not Accounted for, Leading to Exponential Over-Minting of ZENO
Summary
The buy function does not account for differences in decimal precision between ZENO (assumed 18 decimals) and USDC (typically 6 decimals on some chains), leading to significantly higher ZENO minting than intended.
Vulnerability Details
The cost calculation in
buyis done asprice * amount, assuming both tokens have the same decimal precision.On chains where USDC has 6 decimals (almost all, most notably mainnet), this results in the contract interpreting the payment as significantly larger when compared to 18-decimal ZENO.
Users effectively receive 1,000,000 times more ZENO than intended when buying with a 6-decimal USDC token.
Impact
Users can exploit this miscalculation to mint an excessive amount of ZENO, causing severe inflation.
This would devalue ZENO and disrupt the auction's economic model.
Potentially catastrophic financial loss for the project due to excessive token issuance.
Tools Used
Manual code review
Recommendations
Introduce a scaling factor that accounts for the decimal differences between USDC and ZENO:
uint256 scalingFactor = 10**(18 - usdc.decimals());uint256 cost = price * amount / scalingFactor;Verify the decimals of the USDC token dynamically using
usdc.decimals().Ensure consistent unit conversions throughout the contract.
Lead Judging Commences
Auction.sol's buy() function multiplies ZENO amount (18 decimals) by price (6 decimals) without normalization, causing users to pay 1 trillion times the intended USDC amount
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.