Lack of selector collision check when using `abigen` macro

[cre-mer]

Version

v2.0.14

Platform

Darwin MacBook-Pro-Max.local 23.6.0 Darwin Kernel Version 23.6.0: Mon Jul 29 21:14:30 PDT 2024; root:xnu-10063.141.2~1/RELEASE_ARM64_T6000 arm64

---

Description

The abigen macro in ethers-rs is designed to generate type-safe Rust bindings for Ethereum smart contracts based on their ABI. However, the current implementation of the abigen macro does not check for function selector collisions. This can result in the generation of bindings that contain multiple functions sharing the same function selector.

This vulnerability could be exploited by a malicious actor who provides an ABI containing colliding function selectors to an unsuspecting developer. The developer, unaware of the actual contract's ABI, might implement the bindings and call these functions, not realizing that both function calls are resolving to the same function selector. This could lead to unintended behavior in the application.

A simplified example of this issue can be seen when using a human-readable ABI format. The following functions, BlazingIt4490597615() and wycpnbqcyf(), both share the same selector hash 0x00000000 (as seen on 4byte.directory):

abigen!(
    MyContract,
    r#"[
        function BlazingIt4490597615() external
        function wycpnbqcyf() external
    ]"#
);

Expected Behavior

The compiler should at least issue a warning that identifies and lists all occurrences of function selector collisions. It should also advise the developer to carefully review the contract's ABI to ensure that these collisions are intentional and properly handled.

Actual Behavior

No warnings or errors are produced. The code compiles successfully without alerting the developer to the selector collision.