Skip to content

Latest commit

 

History

History
58 lines (39 loc) · 1.57 KB

084.md

File metadata and controls

58 lines (39 loc) · 1.57 KB

Fierce Pecan Swallow

Medium

abi.encodePacked is not a proper way to generate unique order Id

Summary

Currently unique order id is generated based on this logic

uint256(
            keccak256(abi.encodePacked(sender, block.timestamp))
        );

But this is susceptible to Collisions as encodePacked will just concatenate two values and block.timestamp value is predictable so Miners can influence the exact timestamp for potential exploitation. Better to use Chainlink contracts and generate the Order Id. This will be bit costly but more secure and stable than the current logic. If we need less costly solution try adding more more parameter nonce along with address and timestamp

Root Cause

The issue happened due to the below logic

uint256(
            keccak256(abi.encodePacked(sender, block.timestamp))
        );

Source https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/AutomationMaster.sol#L92

Cheaper solution:

uint256(
            keccak256(abi.encodePacked(sender, block.timestamp, **nonce** ))
        );

A more stable and secure solution: Integrate chainlink contracts to generate the Id

Impact

Unexpected consequences might occur which could lead to same Order Id and the existing order will be replaced due to this

Mitigation

Cheaper solution:

uint256(
            keccak256(abi.encodePacked(sender, block.timestamp, **nonce** ))
        );

A more stable and secure solution Integrate chainlink contracts to generate the Id