`abi.encodePacked()` should not be used with dynamic types when passing the result to a hash function such as `keccak256()`
Description: Use abi.encode() instead which will pad items to 32 bytes, which will prevent hash collisions (e.g. abi.encodePacked(0x123,0x456) => 0x123456 => abi.encodePacked(0x1,0x23456), but abi.encode(0x123,0x456) => 0x0...1230...456). Unless there is a compelling reason, abi.encode should be preferred. If there is only one argument to abi.encodePacked() it can often be cast to bytes() or bytes32() instead.
If all arguments are strings and or bytes, bytes.concat() should be used instead.
Impact:
Hash collisions can lead to unintended behavior or vulnerabilities, especially if the hash is used for critical operations like identifying unique items or verifying data integrity.
This could potentially allow attackers to manipulate the contract's logic by exploiting hash collisions.
Proof of Concept: Consider the following example where abi.encodePacked() is used:
Recommended Mitigation:
Use
abi.encode()Instead: Useabi.encode()instead ofabi.encodePacked()to ensure that each argument is padded to 32 bytes, preventing hash collisions.
Example:
Use
bytes.concat()for Strings and Bytes: If all arguments are strings or bytes, consider usingbytes.concat()to safely concatenate them without risk of collision.
Example:
Cast Single Arguments: If there is only one argument to
abi.encodePacked(), it can often be cast tobytes()orbytes32()directly.
Example:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.