Potential Hash Collision in Starklane's _consumeMessageAutoWithdraw Function
Summary
The _consumeMessageAutoWithdraw function in Starklane contract is responsible for processing withdrawal messages automatically. However, the use of abi.encodePacked() with dynamic types when generating the message hash using keccak256() poses a risk of hash collisions.
Vulnerability Details
Function _consumeMessageAutoWithdraw generates a hash (msgHash) using keccak256() function, with the input generated by abi.encodePacked(). However, abi.encodePacked() can lead to ambiguous encoding when used with dynamic types, such as arrays or strings, which may result in hash collisions. When the result of abi.encodePacked() is passed to keccak256(), different sets of input data can produce the same hash, potentially allowing malicious actors to manipulate or replay messages.
Impact
This vulnerability could lead to unauthorized withdrawals or the failure to correctly process withdrawal messages, compromising the security and reliability of the Starklane contract. An attacker could potentially craft inputs that result in the same hash, leading to the incorrect processing of messages or even financial loss.
Tools Used
Manual Review
Recommendations
To mitigate the risk of hash collisions, _consumeMessageAutoWithdraw function should be refactored to use abi.encode() instead of abi.encodePacked() when generating the hash. This ensures that dynamic types are encoded in a non-ambiguous way, preventing potential collisions.
Lead Judging Commences
invalid-encodePacked-collision-known-issue
Known issue: lightchaser
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.