Core Contracts

Summary

The buy function in the ZENO auction contract does not properly handle decimal precision when calculating the cost in USDC, potentially leading to incorrect transfers of USDC due to mismatched decimal places between the ZENO price (18 decimals) and USDC (6 decimals).

Vulnerability Details

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/zeno/Auction.sol#L84-L97

In the buy function, the calculation of the cost is done by multiplying the price by the amount.

The issue arises from the fact that the price is calculated in a unit with 18 decimals (as ZENO tokens use 18 decimals), while USDC uses 6 decimals. If the price returned by getPrice() includes 18 decimals, multiplying it by amount will result in a cost value with much more decimals. This can lead to incorrect transfer amounts when attempting to transfer the calculated cost to the business address, as USDC requires 6 decimals for proper precision.

Example:

• If price has 18 decimals (e.g., 1 ZENO = 1000e18), and amount is 1000, the resulting cost will be 1000 * 1000e18 = 1000e24.

• Since USDC has only 6 decimals, this mismatch could cause the transfer to use a value that is much higher than intended or not properly rounded, potentially leading to errors or over-transfers.

Impact

Incorrect transfer amounts: Users may be required to transfer more than the intended amount of USDC, resulting in failed or inaccurate transactions.

Tools Used

Manual review

Recommendations

To fix the issue, ensure that the cost calculation converts the price to the correct number of decimals for USDC, which is 6 decimals. Since ZENO has 18 decimals, you should normalize the price to 6 decimals when calculating the cost.