Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Potential Hash Collision Risk in Token Symbol Generation Using abi.encodePacked()

sauronsol

Summary

A low-severity vulnerability was identified in the use of abi.encodePacked() for generating the symbols of wTokens. Although the current impact is limited, this practice could pose risks if the code is modified in the future.

Vulnerability Details

The contract uses abi.encodePacked() to concatenate strings when creating the symbols of wTokens. This method is susceptible to creating hash collisions if used with dynamic strings.

PoC:

describe("Hash Collision Vulnerability", async () => {

let s: SetupOutput;

beforeEach(async () => {

s = await loadFixture(setup);

});

it("Should demonstrate hash collision with abi.encodePacked", async () => {

// Register the two tokens supported by Aave

await s.aaveDIVAWrapper.registerCollateralToken(collateralToken); // USDT

await s.aaveDIVAWrapper.registerCollateralToken(collateralToken2); // USDC

// Retrieve the generated wTokens

const wToken1Address = await s.aaveDIVAWrapper.getWToken(collateralToken);

const wToken2Address = await s.aaveDIVAWrapper.getWToken(collateralToken2);

// Verify that the names of the wTokens are different

const wToken1 = await ethers.getContractAt("WToken", wToken1Address);

const wToken2 = await ethers.getContractAt("WToken", wToken2Address);

// Demonstrate that abi.encodePacked can create collisions

const encodePacked1 = ethers.solidityPacked(["string", "string"], ["w", await wToken1.symbol()]);

const encodePacked2 = ethers.solidityPacked(["string", "string"], ["w", await wToken2.symbol()]);

console.log("Symbol 1:", await wToken1.symbol());

console.log("Symbol 2:", await wToken2.symbol());

console.log("Packed 1:", encodePacked1);

console.log("Packed 2:", encodePacked2);

});

}

Potential collision example:

```solidity

abi.encodePacked("w", "USDT") -> 0x777755534454

abi.encodePacked("w", "USDC") -> 0x777755534443

The PoC test demonstrates that different symbols can produce identical results when using abi.encodePacked().

Impact

Severity: Low

The current impact is minimal because:

The result is not used in a hash function
The symbols are only used for display purposes
The wTokens are mapped to their original tokens via their addresses, not their symbols
No critical logic depends on these values

Tools Used

Hardhat unit tests
Custom PoC demonstrating the potential collision
Manual code review

Recommendations

Replace abi.encodePacked() with bytes.concat() for string concatenation:

string(bytes.concat(bytes("w"), bytes(_collateralTokenContract.symbol()))

Alternative: Use abi.encode() if the result needs to be used in a hash function in the future:

string(abi.encode("w", _collateralTokenContract.symbol()))

These modifications will prevent potential collisions and follow best practices for Solidity development.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.