Should use abi.encode, instead of type casting for packing the data of the constructor arguments
Summary
This is low-level and assumes that you know exactly how the types are laid out in memory. It may be efficient but can be prone to errors if not done carefully.
Vulnerability Details
Typecasting: When you use typecasting like uint256(uint160(implementation)), you're manually converting an address to a 160-bit integer, and then to a 256-bit integer. This essentially pads zeros to the more significant bits.
ABI Encoding: When you use abi.encode, you're using the Ethereum Contract ABI encoding scheme. This is higher-level, easier to understand, and more self-documenting. It's also safer because it handles the ABI encoding rules for you.
Impact
Low-level format and can create not desirable side-effects dut to memory formatting.
Tools Used
Manual review
Recommendations
If you need the packed data to conform to a specific, low-level format, and you're confident you can manage the type conversions correctly, then typecasting is okay.
If you're looking for readability, maintainability, and you want to make sure that the encoding conforms to the Ethereum Contract ABI, use abi.encode. For typecasting you need the packed data to conform to a specific, low-level format and can create not desirable side-effects.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.