Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential Security Risk with abi.encodePacked Usage

hackz

Summary

There is a potential security risk in NativeMetaTransaction.sol due to the use of abi.encodePacked for concatenating the functionSignature and userAddress. This could result in data collisions and ambiguous encodings under certain conditions.

Finding Description

The contract uses abi.encodePacked(functionSignature, userAddress) in the executeMetaTransaction function to concatenate the function signature with the user address. Using abi.encodePacked for multiple arguments can lead to encoding collisions when two different inputs produce the same packed encoding. This poses a security risk as it could allow attackers to potentially manipulate inputs to collide in such a way that the wrong function gets executed.

In Ethereum contracts, ambiguous concatenation can break the security guarantees of deterministic input mapping, as distinct inputs should ideally produce distinct encodings. While this vulnerability does not automatically manifest as an issue, it could be exploited if a user crafted specific inputs that generate the same hash.

Vulnerability Details

In the executeMetaTransaction function:

(bool success, bytes memory returnData) = address(this).call{value: msg.value}(

abi.encodePacked(functionSignature, userAddress)

);

Concatenating the functionSignature and userAddress without a delimiter or separation can lead to encoding conflicts. This could allow a scenario where two different functionSignature and userAddress combinations yield the same packed encoding, resulting in unintended function execution.

Impact

This vulnerability is classified as Medium impact. While it does not present an immediate issue, it could become exploitable in edge cases where inputs can be crafted to produce the same packed encoding. This could potentially lead to unauthorized function calls or unintended behavior within the contract.

Proof of Concept

No specific malicious input has been identified, but here’s how the vulnerability can theoretically arise:

Two different (functionSignature, userAddress) pairs could be constructed to collide in their packed encoding.
This would allow one pair to masquerade as another, potentially leading to unauthorized function execution.

For instance, if functionSignature is a fixed length and userAddress changes, an attacker could craft inputs that exploit this.

Recommendations

To mitigate this risk, use abi.encode instead of abi.encodePacked. The abi.encode function provides strict encoding, ensuring no ambiguities:

Recommended Code

(bool success, bytes memory returnData) = address(this).call{value: msg.value}(

abi.encode(functionSignature, userAddress)

);

Switching to abi.encode will avoid encoding collisions and ensure that distinct inputs produce distinct encodings.

File Location

NativeMetaTransaction.sol

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.