Core Contracts

Summary

The auction contract implements a gradual Dutch auction mechanism for selling ZENO tokens in exchange for USDC. However, a key vulnerability exists in the pricing model, allowing users to wait until the last moments of the auction to purchase ZENO tokens at a price very close to the reserve price. This strategic delay could result in lower revenues for the auction, making it inefficient from a capital-raising perspective.

Vulnerability Details

The core issue arises from the linear price reduction model implemented in the contract’s getPrice() function. The function decreases the bond price steadily over time until the auction concludes, meaning that as long as bonds remain available, bidders can always obtain them at progressively lower rates. There is no penalty for waiting, nor is there any mechanism to create urgency or competition among bidders.

Rational actors, whether individual traders or algorithmic bots, will therefore optimize their strategy by delaying their purchase until the price nears the reserve price. This creates an auction dynamic where very few, if any, bids occur in the early and middle phases of the auction, and a sudden surge of bids may emerge at the last moment. If multiple participants attempt to purchase tokens simultaneously in the final seconds, network congestion or gas fee spikes could further distort the process, leading to unintended outcomes where some users miss out entirely or pay excessive gas fees.

A more sophisticated attack vector involves automated bot sniping, where scripts monitor the auction in real time and execute transactions the instant the price reaches an optimal threshold. Although the auction enforces a bid cap per auction, collective last-minute participation can still lead to most tokens being sold at the lowest price. Additionally, network congestion or gas price spikes in the final moments could prevent some users from successfully bidding, further disrupting fair token distribution

Impact

The consequences of this vulnerability are significant, particularly from a revenue-generation and fairness perspective. Because bidders can wait until the final moments to participate, the vast majority of ZENO bonds are likely to be sold at prices close to the reserve price rather than the intended market-driven equilibrium. This dramatically reduces the amount of USDC raised through the auction, making it an inefficient fundraising mechanism and also prevents natural price discovery.

Additionally, the presence of automated bots further tilts the playing field against regular users, leading to an unfair distribution of tokens.

Tools Used

Manual Review

Recommendations

To discourage last-minute bidding and enhance competition, the auction should implement a price decay acceleration mechanism, where prices drop steeply early on and slow down later, reducing the incentive to wait. Additionally, a randomized closing window within the last 10–30 minutes would disrupt automated bot sniping by making the exact end time unpredictable, encouraging earlier participation.