Auction don't handle decimals
Summary
Decimals are not handled at all in the Auction contract, making it unusable because the price is calculated per wei.
Vulnerability Details
When a user buys tokens, the protocol directly multiplies the token amount by the price, as seen here:
However, the token amount is expressed with 18 decimals, while the price is expressed with 6 decimals (matching USDC’s decimals). This results in the price being applied per wei, leading to a completely incorrect and nonsensical price calculation.
Example:
If the user sets the starting price to 100 USDC, then at the beginning of the auction:
• Buying one Zeno token (which equals 1e18)
• The user would have to pay:
1e18*100 USDC wei = 1e14 USDC tokens
• This results in an enormous and incorrect amount, making the auction contract unusable.
Impact
The auction is unusable
Tools Used
Manual review
Recommendations
the protocol should change the buy function to handle decimals :
Lead Judging Commences
Auction.sol's buy() function multiplies ZENO amount (18 decimals) by price (6 decimals) without normalization, causing users to pay 1 trillion times the intended USDC amount
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.