abi.encodePacked hash collision with variable length arguments
Description
The function $F() uses abi.encodePacked with variable length arguments, which can lead to hash collisions. This can be exploited by an attacker to manipulate the input and cause unintended behavior.
Examples
Insecure Code
solidity
function test(bytes memory a, bytes memory b) public { bytes memory x = abi.encodePacked(a, b); }Secure Code
solidity
function test(bytes memory a, bytes memory b) public { bytes32 hash = keccak256(abi.encode(a, b)); }Remediation
Use a fixed-size encoding or a collision-resistant hash function.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0484 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-20 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | hash collision, abi.encodePacked |
| OWASP | N/A |