Submission Details
Severity:
ZENO is 18 decimals while usdc is 6 causing incoherent accounting
Summary
ZENO is 18 decimals while usdc is 6 causing incoherent accounting.
Vulnerability details
For each USDC amount spent, the same amount of ZENO is minted.
But ZENO is 18 decimals as decimals() is not overwritten in the contract, while USDC is 6 decimals.
This means 1 USDC will mint 1e-12 ZENO.
Impact
Explorers and wallets will show ridiculously low values of ZENO
Proof of Concept
File: contracts/zeno/Auction.sol
84: function buy(uint256 amount) external whenActive {
85: require(amount <= state.totalRemaining, "Not enough ZENO remaining");
86: uint256 price = getPrice();
87: uint256 cost = price * amount;
88: require(usdc.transferFrom(msg.sender, businessAddress, cost), "Transfer failed");
89:
90: bidAmounts[msg.sender] += amount;
91: state.totalRemaining -= amount;
92: state.lastBidTime = block.timestamp;
93: state.lastBidder = msg.sender;
94:
95: zeno.mint(msg.sender, amount); <@ amount not scaled to 18 decimals
96: emit ZENOPurchased(msg.sender, amount, price);
97: }
Recommended Mitigation Steps
Scale the USDC amount to ZENO decimals before calling zeno.mint
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
Auction.sol's buy() function multiplies ZENO amount (18 decimals) by price (6 decimals) without normalization, causing users to pay 1 trillion times the intended USDC amount
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.