026.md

Shambolic Mint Dinosaur

High

ERC20 Decimal Handling Risk

Summary

The claimFee function uses UFixed6Lib and UFixed18Lib for token amounts, assuming consistent decimal handling.

Root Cause

In https://github.com/sherlock-audit/2025-01-perennial-v2-4-update/blob/main/perennial-v2/packages/core/contracts/Market.sol#L360 the claimFee function uses UFixed6Lib and UFixed18Lib for token amounts, assuming consistent decimal handling.
In https://github.com/sherlock-audit/2025-01-perennial-v2-4-update/blob/main/perennial-v2/packages/core/contracts/Market.sol#L390 For tokens with decimals ≠ 18 (e.g., USDC with 6 decimals), conversions like UFixed18Lib.from(feeReceived) may miscalculate values.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

Token transfers may fail or lose precision for non-18 decimal tokens.

PoC

No response

Mitigation

Use library methods that explicitly account for token decimals during conversions.