search

hats-finance / Metrom-0xfdfc6d4ac5807d7460da20a3a1c0c84ef2b9c5a2

Smart contracts for the Metrom project.
GNU General Public License v3.0
0 stars 0 forks source link

USAGE OF ABI ENCODEPACKED FUNCTION #11

Open hats-bug-reporter[bot] opened 3 months ago

hats-bug-reporter[bot] commented 3 months ago

Github username: @@giorgiodalla Twitter username: 0xAuditism Submission hash (on-chain): 0x177186b298be83ff6acd1a83834eecdb5c5f88936f77bb81d482b5f609c2633a Severity: low

Description: Description\

Using abi.encodePacked() with multiple variable length arguments can, in certain situations, lead to a hash collision.

Attack Scenario\

Attachments

  1. Proof of Concept (PoC) File the _campaignId is created with abi.encodePacked a keccak 256 hash of different variables of varying length which create a hash collision risk.

  2. Revised Code File (Optional)

    • Instead of using encodePacked consider using abi.encode:
    • 
function _campaignId(CreateBundle memory _bundle) internal pure returns (bytes32) {
return keccak256(
    • abi.encodePacked(
    • abi.encode( _bundle.chainId, _bundle.pool, _bundle.from, _bundle.to, _bundle.specification, _bundle.rewardTokens, _bundle.rewardAmounts ) ); }
luzzif commented 3 months ago

Addressed in https://github.com/metrom-xyz/contracts/commit/b2a8dd471ff93c5e7929274213db5e14d00fc846