Summary

The buy function has a precision mismatch issue due to different decimal places between USDC (6 decimals) and ZENO (potentially 18 decimals). This can lead to incorrect fund transfers, where users receive significantly less than expected.

Vulnerability Details

The buy function contains a critical issue related to the precision mismatch between USDC and ZENO tokens. The function assumes that the operation USDC.safeTransfer(msg.sender, amount); correctly transfers the expected value, but this assumption can be incorrect due to differences in token decimal precision.

Impact

• Users may receive an incorrect amount of USDC, potentially causing financial loss.

• The contract may fail to execute expected trades accurately, leading to trust issues and reputational damage.

• Possible exploitation scenarios where an attacker could manipulate token conversions to their advantage.

Tools Used

Recommendations

To prevent this issue, the contract should normalize the amount value before executing transfers:

1. Convert USDC amount to 18 decimals (if ZENO operates with 18 decimals) before calculations:

   uint256 normalizedAmount = amount * (10**(18 - 6)); // Adjusting from 6 to 18 decimals

2. Use proper conversion factors based on token decimals:

   uint256 usdcDecimals = 6; // USDC decimal places

   uint256 zenoDecimals = 18; // ZENO decimal places

   uint256 normalizedAmount = amount * (10**(zenoDecimals - usdcDecimals));

3. Implement a dynamic approach to fetch token decimals using IERC20Metadata(address).decimals():

   uint256 usdcDecimals = IERC20Metadata(address(USDC)).decimals();

   uint256 zenoDecimals = IERC20Metadata(address(ZENO)).decimals();

   uint256 normalizedAmount = amount * (10**(zenoDecimals - usdcDecimals));

Recommendation:

• Implement proper decimal conversion logic before any transfers.

• Ensure extensive unit testing with different token decimal configurations.

• Consider integrating an oracle or external pricing mechanism for additional accuracy in token swaps.