Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/hash-collision

Name: hash-collision
Author: apegurus

skills/vulnerability-patterns/hash-collision/SKILL.md

npx skillsauth add apegurus/solidity-argus hash-collision

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Hash Collision with abi.encodePacked()

Preconditions

Contract uses abi.encodePacked() to encode data before hashing (typically with keccak256)
Two or more adjacent arguments in the encodePacked call are variable-length types (strings, bytes, dynamic arrays)
The resulting hash is used for authentication, deduplication, or signature verification

Vulnerable Pattern

function verify(string memory a, string memory b, bytes memory sig) external {
    // abi.encodePacked("a", "bc") == abi.encodePacked("ab", "c")
    // Attacker shifts bytes between arguments to forge a valid hash
    bytes32 hash = keccak256(abi.encodePacked(a, b));
    require(ECDSA.recover(hash, sig) == trustedSigner);
    _execute(a, b);
}

// Array variant:
// abi.encodePacked([addr1, addr2], [addr3])
//   == abi.encodePacked([addr1], [addr2, addr3])

Detection Heuristics

Search for abi.encodePacked( calls
Check how many arguments are variable-length types (string, bytes, dynamic arrays like address[], uint256[])
If two or more adjacent arguments are variable-length, flag it — elements can be shifted between arguments to produce an identical encoding
Check if the packed result feeds into keccak256 for security-sensitive purposes (signature verification, access control, deduplication)
If only one argument is variable-length, or all arguments are fixed-length (address, uint256, bool), it is safe

False Positives

Only one argument is a variable-length type (no adjacent dynamic types to shift between)
All arguments are fixed-length types (address, uint256, bytes32, bool, etc.)
abi.encode() is used instead of abi.encodePacked() (includes length prefixes, no collision)
The hash is not used for any security-sensitive purpose

Remediation

Replace abi.encodePacked() with abi.encode() — it includes length prefixes that prevent collisions
If encodePacked must be used for gas efficiency, ensure at most one argument is a variable-length type
Alternatively, separate variable-length arguments with fixed-length delimiters

// Safe: abi.encode includes length prefixes
bytes32 hash = keccak256(abi.encode(a, b));

// Also safe: only one variable-length argument
bytes32 hash = keccak256(abi.encodePacked(fixedAddr, dynamicString));

apegurus/hash-collision

skills/vulnerability-patterns/hash-collision/SKILL.md

- Contract uses `abi.encodePacked()` to encode data before hashing (typically with `keccak256`)

development

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus hash-collision

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:26 AM105.8s1 file scanned

SKILL.md

name:: hash-collision
description:: Packed encoding may collide when multiple dynamic arguments are hashed
pattern_category:: logic-error
- regex:: abi\.encodePacked\(
severity:: Medium
confidence:: Medium
swc:: SWC-133

Hash Collision with abi.encodePacked()

Preconditions

Contract uses abi.encodePacked() to encode data before hashing (typically with keccak256)
Two or more adjacent arguments in the encodePacked call are variable-length types (strings, bytes, dynamic arrays)
The resulting hash is used for authentication, deduplication, or signature verification

Vulnerable Pattern

function verify(string memory a, string memory b, bytes memory sig) external {
    // abi.encodePacked("a", "bc") == abi.encodePacked("ab", "c")
    // Attacker shifts bytes between arguments to forge a valid hash
    bytes32 hash = keccak256(abi.encodePacked(a, b));
    require(ECDSA.recover(hash, sig) == trustedSigner);
    _execute(a, b);
}

// Array variant:
// abi.encodePacked([addr1, addr2], [addr3])
//   == abi.encodePacked([addr1], [addr2, addr3])

Detection Heuristics

Search for abi.encodePacked( calls
Check how many arguments are variable-length types (string, bytes, dynamic arrays like address[], uint256[])
If two or more adjacent arguments are variable-length, flag it — elements can be shifted between arguments to produce an identical encoding
Check if the packed result feeds into keccak256 for security-sensitive purposes (signature verification, access control, deduplication)
If only one argument is variable-length, or all arguments are fixed-length (address, uint256, bool), it is safe

False Positives

Only one argument is a variable-length type (no adjacent dynamic types to shift between)
All arguments are fixed-length types (address, uint256, bytes32, bool, etc.)
abi.encode() is used instead of abi.encodePacked() (includes length prefixes, no collision)
The hash is not used for any security-sensitive purpose

Remediation

Replace abi.encodePacked() with abi.encode() — it includes length prefixes that prevent collisions
If encodePacked must be used for gas efficiency, ensure at most one argument is a variable-length type
Alternatively, separate variable-length arguments with fixed-length delimiters

// Safe: abi.encode includes length prefixes
bytes32 hash = keccak256(abi.encode(a, b));

// Also safe: only one variable-length argument
bytes32 hash = keccak256(abi.encodePacked(fixedAddr, dynamicString));

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/hash-collision ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT