An incorrect amount of ZENO tokens will be minted
Summary
The USDC token and ZENO token have different decimals, so the contract will mint the wrong amount of tokens because they are not scaled to 18 decimals.
Vulnerability Details
When the user buys ZENO tokens, they transfer USDC tokens. The ZENO token inherits the OpenZeppelin ERC20 contract, which has 18 decimals by default. This can be problematic because the USDC token has only 6 decimals on Mainnet.
An incorrect amount of tokens will be minted. The token should always be represented with 18 decimals, but the contract mints using 6 decimals. The contratc will mint wrong amount of tokens becuase they are not sclaed to the 18 decimals.
Impact
An incorrect amount of tokens will be minted.
Tools Used
Mannual Review
Recommendations
Override the decimals function from OpenZeppelin ERC20 contract and set the ZEO token to 6 decimals, or scale the amount before minting the tokens.
Lead Judging Commences
Auction.sol's buy() function multiplies ZENO amount (18 decimals) by price (6 decimals) without normalization, causing users to pay 1 trillion times the intended USDC amount
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.