Submission Details
Severity:
Use of "abi.encodePacked" can result in hash collision
Summary
It's a best practice to use abi.encode instead of abi.encodePacked when hashing parameters, because of hashing collisions.
Vulnerability Details
In Listing.sol and Order.sol contracts, abi.encodePacked method is used for hashing, which can lead to hashing collisions:
function _hashListing(PodListing memory podListing) internal pure returns (bytes32 hash) {
return
keccak256(
abi.encodePacked(
podListing.lister,
podListing.fieldId,
podListing.index,
podListing.start,
podListing.podAmount,
podListing.pricePerPod,
podListing.maxHarvestableIndex,
podListing.minFillAmount,
podListing.mode
)
);
}
function _getOrderId(PodOrder memory podOrder) internal pure returns (bytes32 id) {
return
keccak256(
abi.encodePacked(
podOrder.orderer,
podOrder.fieldId,
podOrder.pricePerPod,
podOrder.maxPlaceInLine,
podOrder.minFillAmount
)
);
}
This is because abi.encodePacked concatenates all the strings. This can result in same pod order id or listing used for exchanges. Here is a brief example using Foundry:
import {Test} from "forge-std/Test.sol;
...
function testHashes() public {
bytes memory h1 = abi.encodePacked("aabb", "");
bytes memory h2 = abi.encodePacked("aa", "bb");
assertEq(h1, h2);
}
Tools Used
Manual Review
Recommendations
Use abi.encode() instead of abi.encodePacked() for hashing
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Reason: Known issue
Assigned finding tags:
Known - LightChaser
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.