Submission Details
Severity:
`AaveDIVAWrapperCore::_registerCollateralToken` Unsafe Use of `abi.encodePacked()`
Summary
AaveDIVAWrapperCore::_registerCollateralToken Unsafe Use of abi.encodePacked()
Vulnerability Details
The contract uses abi.encodePacked() to concatenate strings when creating a WToken name, which can lead to potential hash collision vulnerabilities when used with dynamic types.
WToken _wTokenContract = new WToken(
string(abi.encodePacked("w", _collateralTokenContract.symbol())),
_collateralTokenContract.decimals(),
address(this)
);
Impact
Potential for hash collision when
abi.encodePacked()is used with dynamic typesCould introduce unexpected behavior if the function is modified in the future to use hashing
Proof of Concept
function demonstrateHashCollision() public {
string memory a = "aa";
string memory b = "b";
bytes memory packedAB = abi.encodePacked(a, b);
bytes memory packedAB_Collision = abi.encodePacked(string(abi.encodePacked(a)), b);
assert(keccak256(packedAB) == keccak256(packedAB_Collision));
}
Tools Used
Hardhat
Recommendations
If string concatenation is required, use more explicit concatenation methods:
string memory wTokenSymbol = string.concat("w", _collateralTokenContract.symbol());
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
51929 USDC / LOC
14,000
1,000
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.