Audit: abi.encodePacked() should not be used with dynamic types when passing the result to a hash function such as keccak256()

Question

Audit: abi.encodePacked() should not be used with dynamic types when passing the result to a hash function such as keccak256()

Closed this issue 10 months ago · 1 comments

Use abi.encode() instead which will pad items to 32 bytes, which will prevent hash collisions (e.g. abi.encodePacked(0x123,0x456) => 0x123456 => abi.encodePacked(0x1,0x23456), but abi.encode(0x123,0x456) => 0x0...1230...456). Unless there is a compelling reason, abi.encode should be preferred. If there is only one argument to abi.encodePacked() it can often be cast to bytes() or bytes32() instead.
If all arguments are strings and or bytes, bytes.concat() should be used instead.

Found in src/MCV2_MultiToken.sol: Line: 64

Answer 1 · 2023-12-11T11:07:43.000Z

In the context of contractURI function, the risk of hash collisions is not a concern because the function is simply generating a URL string, not a hash to be used as a unique identifier. Therefore, using abi.encodePacked() in this context is acceptable.