Core Contracts

Summary

Context: Auction.sol#L84-L97

The Auction contract suffers from an issue where the USDC price for purchasing ZENO tokens is calculated without considering the differing decimals between ZENO (18 decimals) and USDC (6 decimals). This discrepancy can lead to incorrect amounts of USDC being transferred for a given ZENO amount, causing economic losses for users.

Vulnerability Details

In the buy() function, users purchase ZENO tokens with USDC. The price of ZENO tokens is calculated in the getPrice() function, but the decimals between ZENO and USDC are not considered in the calculation. ZENO uses 18 decimals, while USDC uses only 6 decimals. As a result, the transfer amount (cost) calculated as price * amount will be incorrect.

This leads to a scenario where:

• Project owner (businessAddress) will receive too much USDC.

• User will end up purchasing ZENO tokens for less USDC than they should.

The issue stems from the fact that the price of ZENO is calculated with 18 decimals, while USDC has only 6 decimals. This discrepancy will cause the project owner to lose USDC because the payment is under-calculated, while the user will receive the correct amount of ZENO for less USDC than expected.

Impact

The users will experience a financial loss, as they will not receive the expected amount of ZENO tokens for the amount of USDC they pay. The discrepancy in decimals could lead to widespread dissatisfaction and trust issues with the auction mechanism if not addressed.

Tools Used

Manual review

Recommendations

Modify the buy() function to properly handle decimals between ZENO and USDC token.