While KECCAK256 (SHA-3) is cheaper for Ethereum, SHA2-256 is supported by NEO and the Ethereum variation of KECCAK isn't the same as the later updated SHA-3 standard.
Whereas the SHA256 implementation across Ethereum and NEO is the same.
I'm not concerned about preventing length extension attacks, and the security of SHA-2 is fine in this context IMO.
While KECCAK256 (SHA-3) is cheaper for Ethereum, SHA2-256 is supported by NEO and the Ethereum variation of KECCAK isn't the same as the later updated SHA-3 standard.
Whereas the SHA256 implementation across Ethereum and NEO is the same.
I'm not concerned about preventing length extension attacks, and the security of SHA-2 is fine in this context IMO.