Core Contracts

Summary

The getPrice() function in the Auction.sol contract outputs a price using 6 decimal places (scaled by 1e6), while the ZENO tokens, which are minted and transferred during the auction, operate with 18 decimals. This mismatch causes the cost calculation to be off by a factor of 1e12, leading users to pay a substantially higher amount of USDC than intended. The error stems from failing to normalize the price output to the 18 decimal format of ZENO tokens, resulting in inflated USDC transfer amounts.

Vulnerability Details

• Decimal Mismatch:
  The getPrice() function delivers a price with 6 decimals, whereas the token minting and transfer processes expect a price aligned with ZENO’s 18 decimals.

• Cost Calculation Issue:
  When a user attempts to purchase, for example, 1000 ZENO tokens (expressed as 1000e18), the cost is computed by multiplying the price (in 6 decimals) by the token amount (in 18 decimals). This multiplication yields a value around 1000e24 instead of the correct 1000e6, dramatically inflating the USDC required for the purchase.

• Normalization Failure:
  The absence of proper decimal normalization between the price and the token amount leads to erroneous scaling in the cost computation.

Impact

• Excessive USDC Payment:
  Buyers may end up transferring a vastly higher amount of USDC than expected, causing potential financial losses.

• Exploitation Risk:
  Malicious users could exploit this mismatch to manipulate the auction process, performing transactions with unexpected USDC amounts.

Tools Used

• Manual Code Review:
  The discrepancy was identified through a thorough examination of the getPrice() and buy() functions.

Recommendations

1. Normalize Price Decimals:
   Adjust the getPrice() function so that it returns a price using 18 decimals, aligning with the ZENO token's precision. For example, multiply the returned price by 1e12 to scale it up from 6 to 18 decimals.