Closed indeqs closed 3 weeks ago
Good one! If we wanna make the vuln focused on hash collisions I think would be good to include other possible ways for them to occur. Otherwise it could be good to just make the vuln focus on hash collisions due to variable length arguments with encodePacked
Regarding this @kadenzipfel, it would be better to just focus on a single instance of hash collisions and publish a new one when another instance of hash collision is found. Like what is done with DoS vulnerabilities. All situations that can lead to DoS are not in one file but rather separate. Cause I am thinking if we do what you suggest with hash collisions, then we have to do the same for DoS for consistency :)
How is it looking now?
Related Issue
Checklist
Describe the changes you've made:
Addition of a vulnerability shading light on the dangers of using
abi.encodePacked()
with multiple variable-length arguments that could potentially led to a hash collision. This specific vulnerability can lead to security issues in smart contracts, particularly in signature verification scenarios, allowing attackers to bypass authorization mechanisms.The added information includes:
abi.encodePacked()
can lead to hash collisions and the potential impact on smart contract security.abi.encode()
instead ofabi.encodePacked()
and using fixed-length arrays.Type of change