abi.encodePacked()
should not be used with dynamic types when passing the result to a hash function such as keccak256()
since it may lead to a hash collision. For example, abi.encodePacked(0x123,0x456)
=> 0x123456
=> abi.encodePacked(0x1,0x23456)
, but abi.encode(0x123,0x456)
=> 0x0...1230...456
).
There is 1 instance of this issue.
File Link | Instance Count | Instance Link |
---|---|---|
EscrowFactory.sol | 1 | 75 |
A hash collision would results in a incorrectly computed escrow address.
baudit: a custom static code analysis tool; manual review
To prevent hash collisions, use abi.encode()
instead since it will pad the arguments to 32 bytes. Unless there is a compelling reason, abi.encode
should be preferred. If there is only one argument to abi.encodePacked()
it can often be cast to bytes()
or bytes32()
instead. If all arguments are strings and/or bytes, bytes.concat()
should be used instead.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.