USDC decimals are not accounted in `ZENO.redeem()`
Summary
USDC decimals are not accounted in ZENO.redeem(), which allows to steal all USDC from ZENO.
Vulnerability Details
Per docs and code, USDC will be used to buy ZENO tokens. In auctiion users will pay scaled amount of USDC using dynamic price calculation due to low decimals (6). But USDC decimals are not accounted in ZENO.redeem(), and convertion rate is always 1:1, which is wrong, because ZENO has default 18 decimals.
For example, price of 1 ZENO at the moment when user called Auction.buy() was 1 USDC. User bought 100 ZENO (100e18). Now user can withdraw 100 USDC (100e6) only for 0.0...001 ZENO (100e6).
Impact
User can steal all USDC from Zeno contract by redeeming ZENO.
Tools Used
Manual review.
Recommendations
Use convertion rate when redeeming ZENO and scale USDC amount to 18 decimals.
Lead Judging Commences
Decimal precision mismatch between ZENO token (18 decimals) and USDC (6 decimals) not accounted for in redemption, causing calculation errors and incorrect payments
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.