Incorrect handling of USDC and Zeno token due to difference in decimals
Summary
There's an issue in the Zeno and USDC parity due to lack of accounting regarding difference of decimals.
Vulnerability Details
Zero is an ERC20 inherited from openzeppelin which doesn't modify the existing decimals, therefore it will have 18 decimals. USDC, on the ethereum mainnet, has 6 decimals.
Not taking the difference in decimals will lead to incorrect accounting in Zeno.sol and Auction.sol.
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/zeno/Auction.sol#L84-L97
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/zeno/ZENO.sol#L34-L40
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/zeno/ZENO.sol#L46-L63
For example, if the input is in 18 decimals.
And for example, if the input is in 6 decimals.
Impact
Incorrect accounting due to usdc having 6 decimals and zeno having 18 decimals. The flow of Auction.buy() -> Zeno.mint() -> Zeno.redeem() will not work. In the input is in 18 decimals the TX it will revert. If it's in 18 decimals, a very small amount of Zeno tokens will be minted.
Tools Used
Manual Review.
Recommendations
Need to account for the difference in decimals. One solution can be to assume function inputs are done with 18 decimals (since zero was 18 decimals), and when transferring usdc take into account the usdc.decimals().
In Zeno.redeem()
In Auction.buy()
Lead Judging Commences
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Auction.sol's buy() function multiplies ZENO amount (18 decimals) by price (6 decimals) without normalization, causing users to pay 1 trillion times the intended USDC amount
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.