Skip to content
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.

T1MOH - abi.encodePacked should stop to be used since there are conversions around to deprecate it in future versions of Solidity #98

Closed
sherlock-admin opened this issue May 5, 2023 · 0 comments
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

T1MOH

medium

abi.encodePacked should stop to be used since there are conversions around to deprecate it in future versions of Solidity

Summary

abi.encodePacked() will be removed according to Solidity guide ethereum/solidity#11593
Also it will cause vulnerability in case of future update where you add dynamic types as arguments. Described in here https://docs.soliditylang.org/en/v0.8.19/abi-spec.html#non-standard-packed-mode

Vulnerability Detail

Impact

abi.encodePacked will behaviour unexpectedly in case of future Solidity update and should not be used.
It will break the MerkleProof check if you add dynamic types in leaf argument in next protocol upgrade.

Code Snippet

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L157
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L120
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumAcademy.sol#L239

Tool used

Manual Review

Recommendation

Use abi.encode() or bytes.concat() instead of abi.encodePacked.

@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label May 10, 2023
@sherlock-admin sherlock-admin added the Non-Reward This issue will not receive a payout label May 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Development

No branches or pull requests

1 participant