You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[✅] I have searched the existing issues and pull requests for duplicates.
Type of Issue
[✅] New vulnerability addition
Feature request
Update existing vulnerability
Description
Using abi.encodePacked() with multiple variable-length arguments can, in certain situations, lead to a hash collision. Since abi.encodePacked() packs all elements in order regardless of whether they're part of an array, you can move elements between arrays and, so long as all elements are in the same order, it will return the same encoding. In a signature verification situation, an attacker could exploit this by modifying the position of elements in a previous function call to effectively bypass authorization.
Checklist
Type of Issue
Description
Using
abi.encodePacked()
with multiple variable-length arguments can, in certain situations, lead to a hash collision. Sinceabi.encodePacked()
packs all elements in order regardless of whether they're part of an array, you can move elements between arrays and, so long as all elements are in the same order, it will return the same encoding. In a signature verification situation, an attacker could exploit this by modifying the position of elements in a previous function call to effectively bypass authorization.Sources
The text was updated successfully, but these errors were encountered: