Audit: abi.encodePacked() should not be used with dynamic types when passing the result to a hash function such as keccak256()
Closed this issue · 1 comments
Use abi.encode()
instead which will pad items to 32 bytes, which will prevent hash collisions (e.g. abi.encodePacked(0x123,0x456)
=> 0x123456
=> abi.encodePacked(0x1,0x23456)
, but abi.encode(0x123,0x456)
=> 0x0...1230...456
). Unless there is a compelling reason, abi.encode
should be preferred. If there is only one argument to abi.encodePacked()
it can often be cast to bytes()
or bytes32()
instead.
If all arguments are strings and or bytes, bytes.concat()
should be used instead.
- Found in src/MCV2_MultiToken.sol: Line: 64
In the context of contractURI
function, the risk of hash collisions is not a concern because the function is simply generating a URL string, not a hash to be used as a unique identifier. Therefore, using abi.encodePacked()
in this context is acceptable.