Sparkn

Summary

The deployProxyAndDistributeBySignature() function in the given smart contract uses a hashing mechanism that might, under specific circumstances, process a total of 64 bytes inside the keccak256 function. Given known concerns with Merkle tree collisions for 64-byte chunks, this may expose the contract to unforeseen vulnerabilities or attacks.

Vulnerability Details

In the deployProxyAndDistributeBySignature() function, the following line hashes combined data:
https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/ProxyFactory.sol#L159

• contestId is a fixed-size bytes32, contributing 32 bytes.

• data is a dynamically-sized bytes array. If its size is exactly 32 bytes, the combined data size is 64 bytes.

Historically, when forming Merkle proofs, hashing a 64-byte chunk with keccak256 has raised concerns because it might be reinterpreted as two concatenated 32-byte nodes.

Impact

But while the result isn't being used directly to form a Merkle tree leaf in the given context, an attacker might find ways to exploit this structure, leading to unexpected behaviors or vulnerabilities. This could potentially undermine the integrity of operations relying on this hash, resulting in unauthorized actions or compromises.
So, the users can abuse merkle tree collisions, which is clearly a high impact.

Tools Used

Manual Code Review

Recommendations

1. Ensure that the combination of variables won't sum to 64 bytes.

2. Consider adding a unique delimiter or prefix when encoding contestId and data. This would ensure that the combined data cannot be easily split into two separate 32-byte components.

3. If possible, use fixed-length data inputs to ensure that the hashed data's length is predictable and non-manipulatable.