Users will overpay due to Wrong Cost Calculation in the Auction contract
Summary
In the Auction contract, there’s a mistake in how it calculates how much USDC users need to pay to buy ZENO tokens. The code doesn’t account for the fact that USDC and ZENO use different number scales (USDC has 6 decimals, ZENO has 18). This makes users pay way too much than they should or their transactions fail because they don’t have enough USDC.
Vulnerability Details
This problem starts because USDC and ZENO tokens count their amounts differently. USDC uses 6 decimals, so 1 USDC is 1,000,000 (10⁶) units. ZENO, like most tokens, uses 18 decimals, so 1 ZENO is 1,000,000,000,000,000,000 (10¹⁸) . When the Auction contract figures out how much USDC to charge for ZENO, it doesn’t fix this difference, leading to a huge error.
price is how much 1 ZENO costs in USDC wei. Let’s say it’s set to 1,000,000 (10⁶), meaning 1 USDC per ZENO.
The user should only pay 1 USDC (10⁶ wei) for 1 ZENO, but the code charges them a trillion times more (10¹² times, to be exact).
Impact
Users will pay way too much USDC than they should to buy ZENO tokens.
Tools Used
Manual Review
Recommendations
To fix this, the Auction contract needs to adjust the cost so it matches the right USDC amount. Here’s how:
Change the line uint256 cost = (price * amount); to:
Lead Judging Commences
Auction.sol's buy() function multiplies ZENO amount (18 decimals) by price (6 decimals) without normalization, causing users to pay 1 trillion times the intended USDC amount
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.