diff --git a/CHANGELOG.md b/CHANGELOG.md index be98a0a5bf1..1d0f2e32697 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -356,6 +356,7 @@ Released with 1.0.0-beta.37 code base. ### Added - Github action for running tests for `web3-eth2-core` and `web3-eth2-beaconchain` packages (#3892) +- Added Security risk warning to docs for `web3.utils.soliditySha3` (#3908) ### Changed diff --git a/docs/web3-utils.rst b/docs/web3-utils.rst index 46ab23a07fb..cb292942c16 100644 --- a/docs/web3-utils.rst +++ b/docs/web3-utils.rst @@ -319,6 +319,8 @@ soliditySha3 Will calculate the sha3 of given input parameters in the same way solidity would. This means arguments will be ABI converted and tightly packed before being hashed. +.. warning:: This method poses a security risk where multiple inputs can compute to the same hash. Provided in the example code are multiple cases of this security risk + ---------- Parameters ---------- @@ -344,6 +346,20 @@ Example .. code-block:: javascript + // As a short example of the non-distinguished nature of + // Solidity tight-packing (which is why it is inappropriate + // for many things from a security point of view), consider + // the following examples are all equal, despite representing + // very different values and layouts. + web3.utils.soliditySha3('hello','world01') + // "0xfb0a9d38c4dc568cbd105866540986fabf3c08c1bfb78299ce21aa0e5c0c586b" + web3.utils.soliditySha3({type: 'string', value: 'helloworld'},{type: 'string', value: '01'}) + // "0xfb0a9d38c4dc568cbd105866540986fabf3c08c1bfb78299ce21aa0e5c0c586b" + web3.utils.soliditySha3({type: 'string', value: 'hell'},{type: 'string', value: 'oworld'},{type: 'uint16', value: 0x3031}) + // "0xfb0a9d38c4dc568cbd105866540986fabf3c08c1bfb78299ce21aa0e5c0c586b" + web3.utils.soliditySha3({type: 'uint96', value: '32309054545061485574011236401'}) + // "0xfb0a9d38c4dc568cbd105866540986fabf3c08c1bfb78299ce21aa0e5c0c586b" + web3.utils.soliditySha3('234564535', '0xfff23243', true, -10); // auto detects: uint256, bytes, bool, int256 > "0x3e27a893dc40ef8a7f0841d96639de2f58a132be5ae466d40087a2cfa83b7179"