Missing slippage in the buy function
Summary
Missing slippage in the buy function, leading to receiving a different amount of ZENO tokens than expected.
Vulnerability Details
Missing slippage in the buy function in the Auction contract when ZENO tokens are being bought. The price of the ZENO tokens is defined by the elapsed time, so the more time passes, the price will be closer to the reservePrice.
Not having a slippage amount creates a problem where some users may not receive the expected amount they want. Their transactions can stay in the mempool for a long time (for example, 5-6 hours) and will receive a different cost for their tokens.
Additionally, if their transaction is not executed immediately, the cost may differ from what they initially approved. For example, they approve spending 50k USDC to buy ZENO tokens, but if their transaction stays in the mempool for an hour, the cost = price * amount may be different from the initially approved 50k.
Impact
Users will buy different ZENO tokens than they expected.
Tools Used
Mannual Review
Recommendations
Add a slippage amount parameter, mintAmountOut, in the buy transaction and check if the cost <= mintAmountOut.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.