Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

'abi.encodePacked() SHOULD NOT BE USED WITH DYNAMIC TYPES WHEN PASSING THE RESULT TO A HASH FUNCTION SUCH AS 'KECCAK2556()'

sunnyjoy686

Summary:

in File Path: 2025-01-diva/contracts/src/AaveDIVAWrapperCore.sol Line: 93

Code:

string(abi.encodePacked("w", _collateralTokenContract.symbol())),

The vulnerability you've identified involves the use of abi.encodePacked() with dynamic types, which can lead to hash collisions when the result is passed to a hash function like keccak256(). In the code, abi.encodePacked() is used to concatenate the string "w" with the symbol of the collateral token to create the name of the wrapped token. If the symbol of the collateral token is a dynamic type (e.g., a string), using abi.encodePacked() can result in ambiguous encoding. This ambiguity arises because abi.encodePacked() does not include length information for dynamic types, leading to potential collisions if two different inputs produce the same encoded output. This can be exploited to create unintended behavior or security vulnerabilities in the contract. To mitigate this risk, it's recommended to use abi.encode() instead, which includes length information and prevents such collisions.

Vulnerability Details:

Lack of Length Information: abi.encodePacked() omits length data for dynamic types, which can lead to ambiguous encoding when concatenating dynamic and static types.
Possible Hash Collision: This ambiguity increases the risk of hash collisions when passed to functions like keccak256(), where different inputs may produce identical hash outputs.
Exploitable Bug: Attackers can exploit these collisions to manipulate contract logic, potentially leading to incorrect behavior or vulnerabilities in the system.

Impact:

Ambiguous Encoding: abi.encodePacked() does not provide length information for dynamic types, leading to possible collisions when concatenating the dynamic types with fixed ones.

Hash Collisions: Using keccak256() on an ambiguous concatenation can result in two different inputs producing the same hash, causing incorrect or unexpected behavior in the contract.
Security Risk: The vulnerability can be exploited to cause unintended behavior in the contract, such as creating a wrapped token name collision or other logic errors, compromising the integrity of the system.

Tools Used

Recommendations:
`abi.encodePacked()` with dynamic types, which can indeed lead to hash collisions. However, in this specific context, the use of `abi.encodePacked()` is not directly related to hashing but rather to string concatenation for naming purposes. Nonetheless, it's good practice to avoid potential ambiguities.

To resolve this issue, you can replace abi.encodePacked() with abi.encode(), which includes length information and prevents such collisions. Here's how you can modify the code:

Replace:

string(abi.encodePacked("w", _collateralTokenContract.symbol()))

With:

string(abi.encode("w", _collateralTokenContract.symbol()))

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.