Sparkn

Summary

Usage of abi.encodePacked() with different length arguments may lead to hash collision.

Vulnerability Details

This vulnerability is related to the use of the abi.encodePacked() function with different length arguments. In the function getProxyAddress(), the abi.encodePacked() function is used to concatenate the byte representations of its arguments. However, this function does not pad its arguments to a fixed length before concatenation. This means that different sets of arguments can result in the same output if they can be split in a way that matches the split of another set of arguments. This can potentially lead to hash collisions when the output is hashed using the keccak256() function, which can result in unexpected behavior in the contract. This is particularly dangerous in this context because the output is used to calculate the address of a proxy contract, and a collision could result in funds being sent to the wrong address.

Tools Used

Manual,solscan

Recommendations

To resolve this issue, you should ensure that the arguments to abi.encodePacked() are of a fixed length before they are passed to the function. This can be achieved by padding the arguments to a fixed length before they are passed to the function.

Here is an example of how you can pad a bytes32 argument to a fixed length:

In this example, the argument is left-shifted by 96 bits, effectively padding the argument to a length of 32 bytes. This ensures that the argument will always be of a fixed length, regardless of its original length.

You should apply this padding to all arguments passed to abi.encodePacked() in the getProxyAddress() function. This will prevent potential hash collisions and ensure that the function always returns the correct address.