Description:Description\
The usage of abi.encodePacked() with keccak256 might introduce hash collisions. When dynamic types are used with abi.encodePacked() , different args could introduce the same bytes. For example:
abi.encodePacked("a", "bc") == abi.encodePacked("ab", "c")
This is from the solidity docs:
If you use keccak256(abi.encodePacked(a, b)) and both a and b are dynamic types, it is easy to craft collisions in the hash value by moving parts of a into b and vice-versa. More specifically, abi.encodePacked("a", "bc") == abi.encodePacked("ab", "c"). If you use abi.encodePacked for signatures, authentication or data integrity, make sure to always use the same types and check that at most one of them is dynamic. Unless there is a compelling reason, abi.encode should be preferred.
Attack Scenario\
MarketFactory uses dynamic types with abi.encodePacked at several places in the code. The scenario for hash collisions is possible in those places
Github username: -- Twitter username: -- Submission hash (on-chain): 0xb219b63bd60442d95290f6eec53f1dcd40ba08f10e7d8eb1b4a6369b0f1f2719 Severity: low
Description: Description\ The usage of abi.encodePacked() with keccak256 might introduce hash collisions. When dynamic types are used with abi.encodePacked() , different args could introduce the same bytes. For example:
abi.encodePacked("a", "bc") == abi.encodePacked("ab", "c")
This is from the solidity docs:
If you use keccak256(abi.encodePacked(a, b)) and both a and b are dynamic types, it is easy to craft collisions in the hash value by moving parts of a into b and vice-versa. More specifically, abi.encodePacked("a", "bc") == abi.encodePacked("ab", "c"). If you use abi.encodePacked for signatures, authentication or data integrity, make sure to always use the same types and check that at most one of them is dynamic. Unless there is a compelling reason, abi.encode should be preferred.
https://docs.soliditylang.org/en/latest/abi-spec.html
Attack Scenario\ MarketFactory uses dynamic types with abi.encodePacked at several places in the code. The scenario for hash collisions is possible in those places
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional) use abi.encode() or put a delimeter "|" between each arg in abi.encodePacked()