Description

It appears that exercisePrice is defined as the number of option tokens that one payment token can purchase.

In the test script MetaVestControllerTest, the exercisePrice is set to 1e18 and the payment token uses a six-decimal format. For example, if the payment token is USDC, 1 USDC could currently exercise one token.

However, this does not match the comment in the code. The comment says that the exercise price is in decimals of the payment token.

/// @notice updates the exercise price
/// @dev onlyController -- must be called from the metavest controller
!/// @param _newPrice - the new exercise price in decimals of the payment 
!    token
function updatePrice(uint256 _newPrice) external onlyController {
    if(terminated) revert MetaVesT_AlreadyTerminated();
    exercisePrice = _newPrice;
    emit MetaVesT_PriceUpdated(grantee, _newPrice);
}

Impact

The comment is misleading and if price is set in decimals of the payment token, it could lead to confusion and incorrect calculations.

Recommendations

Update the comment to reflect the actual behavior of the code.

Remediation

This issue has been acknowledged by MetaLeX Labs, Inc, and a fix was implemented in commit 2d59bb00↗.