Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: low

Invalid

`abi.encodePacked()` should not be used with dynamic types when passing the result to a hash function such as `keccak256()`

gush

Root + Impact

Description

The `tokenURI()` function uses `abi.encodePacked()` with dynamic types (strings) when constructing the token metadata JSON. This can lead to hash collisions when different inputs produce the same packed encoding.

/// @notice this function will return the URI for the token

/// @param tokenId the Id of the NFT

function tokenURI(uint256 tokenId) public view virtual override returns (string memory) {

// @audit-ok _exists check correctly guards against nonexistent token queries.

require(_exists(tokenId), "PuppyRaffle: URI query for nonexistent token");

uint256 rarity = tokenIdToRarity[tokenId];

string memory imageURI = rarityToUri[rarity];

string memory rareName = rarityToName[rarity];

return string(

abi.encodePacked(

_baseURI(),

@> Base64.encode(

bytes(

@> abi.encodePacked(

'{"name":"',

name(),

'", "description":"An adorable puppy!", ',

'"attributes": [{"trait_type": "rarity", "value": ',

rareName,

'}], "image":"',

imageURI,

'"}'

)

);

}

Risk

Likelihood:

When we have something like `abi.encodePacked("a", "bc")` that produces the same result as `abi.encodePacked("ab", "c")`.

Impact:

While in this specific case the impact is limited since the strings are mostly hardcoded, using `abi.encodePacked()` with dynamic types is a dangerous pattern that can lead to hash collisions in other contexts.

Recommended Mitigation

Use `abi.encode()` instead, which pads items to 32 bytes preventing hash collisions. Alternatively, if all arguments are strings, use `bytes.concat()`.

```diff

- abi.encodePacked(

+ abi.enc

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!