A hash collision can occur when hashing dynamic values with abi.encodePacked(), which may result in two different attestation service and attestation account combinations producing the same hash.
This situation could lead to an unintentional claim of an existing attestation when a user attempts to create a new attestation by calling the EthosAttestation::createAttestation() function and user will be unable to create attestation about desired service and account.
Impact
The use of abi.encodePacked() with dynamic data types in the getServiceAndAccountHash() function raises the risk of hash collisions. This could allow two different combinations of attestation service and attestation account to generate identical attestationHash values. If such a collision occurs, a user attempting to create a new attestation may unintentionally claim an existing attestation belonging to another user.
This issue can lead to unintended attestation claims, potentially causing confusion, data integrity issues, as it disrupts the intended uniqueness of attestations.
Recommended mitigation
use abi.encode() instead of abi.encodePacked() inside the getServiceAndAccountHash() function.
justAWanderKid
Medium
Possiblity of Unexpectedly Claiming an Existent Attestation Due to Hash Collision in Attestation Creation Process
Description
if we examine the getServiceAndAccountHash() function, we see that it uses abi.encodePacked() to hash the attestation service and account to produce attestationHash.
A hash collision can occur when hashing dynamic values with
abi.encodePacked(), which may result in two differentattestation serviceandattestation accountcombinations producing the same hash.This situation could lead to an unintentional claim of an existing attestation when a user attempts to create a new attestation by calling the EthosAttestation::createAttestation() function and user will be unable to create attestation about desired service and account.
Impact
The use of
abi.encodePacked()with dynamic data types in thegetServiceAndAccountHash()function raises the risk of hash collisions. This could allow two different combinations ofattestation serviceandattestation accountto generate identical attestationHash values. If such a collision occurs, a user attempting to create a new attestation may unintentionally claim an existing attestation belonging to another user.This issue can lead to unintended attestation claims, potentially causing confusion, data integrity issues, as it disrupts the intended uniqueness of attestations.
Recommended mitigation
use
abi.encode()instead of abi.encodePacked() inside thegetServiceAndAccountHash()function.recomended read on hash collision: [1, 2]