Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-04-ENS-FINDINGS-ISSUES-284
HistoryApr 28, 2023 - 12:00 a.m.

Missing important check in getOwnerAddress() function in DNSClaimChecker.sol

2023-04-2800:00:00
Code4rena
github.com
3
vulnerability
impact
proof of concept
constants
code review
mitigation
JSON

Lines of code

Vulnerability details

Impact

getOwnerAddress() function used in DNSClaimChecker.sol is missing important check on the type and class of the records.

Also this getOwnerAddress() function is used in DNSRegistar.sol _claim function to claim a name using the given proofs
Since there are checks missing on type and class of the records, the user can claim a name with invalid proofs

Proof of Concept

In getOwnerAddress() function returns address and a bool value, the following check is not covering all the required cases

if (iter.name().compareNames(buf.buf) != 0) continue;

Also, we can see the constants are declared but not used in the code

    uint16 constant CLASS_INET = 1;
    uint16 constant TYPE_TXT = 16;

Since there is no check on type and class of the records this condition will pass and getOwnerAddress() will return an address and a true value

Now this getOwnerAddress() function is used in DNSRegistar.sol _claim function.

_claim() function is used in proveAndClaim() and proveAndClaimWithResolver() functions to claim a name using given proofs.

Tools Used

Manual Code Review

Recommended Mitigation Steps

Add required checks similar to resolveCallback() function is OffchainDNSResolver.sol

if (iter.name().compareNames(buf.buf) != 0 || iter.class != CLASS_INET || iter.dnstype != TYPE_TXT) { continue; }

The text was updated successfully, but these errors were encountered:

All reactions

JSON