search

hats-finance / SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7

1 stars 0 forks source link

possible hash collisions #42

Open hats-bug-reporter[bot] opened 4 hours ago

hats-bug-reporter[bot] commented 4 hours ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xb219b63bd60442d95290f6eec53f1dcd40ba08f10e7d8eb1b4a6369b0f1f2719 Severity: low

Description: Description\ The usage of abi.encodePacked() with keccak256 might introduce hash collisions. When dynamic types are used with abi.encodePacked() , different args could introduce the same bytes. For example: abi.encodePacked("a", "bc") == abi.encodePacked("ab", "c")

This is from the solidity docs: If you use keccak256(abi.encodePacked(a, b)) and both a and b are dynamic types, it is easy to craft collisions in the hash value by moving parts of a into b and vice-versa. More specifically, abi.encodePacked("a", "bc") == abi.encodePacked("ab", "c"). If you use abi.encodePacked for signatures, authentication or data integrity, make sure to always use the same types and check that at most one of them is dynamic. Unless there is a compelling reason, abi.encode should be preferred.

https://docs.soliditylang.org/en/latest/abi-spec.html

Attack Scenario\ MarketFactory uses dynamic types with abi.encodePacked at several places in the code. The scenario for hash collisions is possible in those places

createMultiScalarMarket()
askRealityQuestion()
    function askRealityQuestion(
        string memory encodedQuestion,
        uint256 templateId,
        uint32 openingTime,
        uint256 minBond
    ) internal returns (bytes32) {
        bytes32 content_hash = keccak256(abi.encodePacked(templateId, openingTime, encodedQuestion));//@audit-issue dynamic hash collisions openingTime, encodedQuestion

        bytes32 question_id = keccak256(
            abi.encodePacked(
                content_hash, arbitrator, questionTimeout, minBond, address(realitio), address(this), uint256(0)//@audit-issue dynamic hash collisions , related to content_hash 
            )
        );

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional) use abi.encode() or put a delimeter "|" between each arg in abi.encodePacked()