In Crypto.sol the expandMessageXMDKeccak256() function uses the free memory pointer as a scratch space to build a message that will eventually be hashed. The function does not allocate itself this memory, but expects the memory region to be zero.

However later on in the function a separate part of the code does the something similar and will write to the exact same memory region. This code also doesn't allocate the memory to itself.

This doesn't cause an issue if the function is called once, however if the function is called in a loop the second iteration will use the memory that has been polluted by the later code.

Expected Behavior

Memory region pointed at by free memory pointer should be zero before first block of assembly code uses that memory

Current Behavior

Other areas will write to that same memory region in certain circumstances. Causing an incorrect hash.

(Optional) Possible Solution

We did this

oxen-io/eth-sn-contracts#66

which just zeros the memory before use