Submission Details
Severity:
Auction will cause loss of funds due to decimal mismatch ZENO/USDC
Summary
The Auction contract incorrectly handles decimal precision when converting between USDC (6 decimals) and ZENO (18 decimals) tokens. Users receive only a fraction of their purchased tokens.
Vulnerability Details
In the Auction contract's buy function:
function buy(uint256 amount) external whenActive {
require(amount <= state.totalRemaining, "Not enough ZENO remaining");
uint256 price = getPrice();
uint256 cost = price * amount;
// @audit - if `getPrice` is 6 decimals, we have a correct transfer of USDC.
require(usdc.transferFrom(msg.sender, businessAddress, cost), "Transfer failed");
bidAmounts[msg.sender] += amount;
state.totalRemaining -= amount;
state.lastBidTime = block.timestamp;
state.lastBidder = msg.sender;
zeno.mint(msg.sender, amount); // @audit-issue - amount not scaled to 18 decimals
emit ZENOPurchased(msg.sender, amount, price);
}
Contract doesn't consider the decimal mismatch. I.e:
Input: 10_000_000_000 (10k USDC in 6 decimals)
ZENO minted: 10_000_000_000 (0.00000001 ZENO in 18 decimals)
Impact
User will receive far less ZENO minted than he should.
Tools Used
Manual Review
Recommendations
Change the ZENO's decimals to 6 or normalize token decimals in ZENO and Auction contracts.
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
Auction.sol's buy() function multiplies ZENO amount (18 decimals) by price (6 decimals) without normalization, causing users to pay 1 trillion times the intended USDC amount
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.