8 matches found
[ZZ-001] PARENT_CANNOT_CONTROL and CANNOT_CREATE_SUBDOMAIN fuses can be bypassed
Severity: High Status: Has been reported to and comfirmed by Jeff ENS team Report Time: 11/28/2022 12:31 AM EST Description The fuse constraints can be violated by a malicious owner of the parent node i.e., the hacker. There are two specific consequences the hacker can cause. Suppose the subnode...
NameWrapper: Cannot prevent transfer while upgrade even with CANNOT_TRANSFER fuse regardless of the upgraded NameWrapper's implementation
Lines of code Vulnerability details Impact Upon upgrade to a new NameWrapper contract, owner of the node will be set to the given wrappedOwner. Since the node will be burned before calling the upgraded NameWrapper, the upgraded NameWrapper cannot check the old owner. Therefore, no matter the...
NameWrapper: one can renew to DoS a Name
Lines of code Vulnerability details Impact Anyone with enough eth can make a name impossible to be used anymore Proof of Concept Below is a snippet of the proof of concept. The whole code can be found in this gist. And how to run test is in the comment in the gist. This proof of concept...
[PNM-002] The expiry of the parent node can be smaller than the one of a child node, violating the guarantee policy
Lines of code Vulnerability details Description By design, the child node's expiry can only be extended up to the parent's current one. Adding these restrictions means that the ENS users only have to look at the name itself's fuses and expiry without traversing the hierarchy to understand what...
[PNM-003] The preimage DB (i.e., NameWrapper.names) can be maliciously manipulated/corrupted
Lines of code Vulnerability details Description By design, the NameWrapper.names is used as a preimage DB so that the client can query the domain name by providing the token ID. The name should be correctly stored. To do so, the NameWrapper record the domain's name every time it gets wrapped. And...
NameWrapper: parent can bypass PARENT_CANNOT_CONTROL
Lines of code Vulnerability details Impact HIGH - bypassing PARENTCANNOTCONTROL fuse As discussed in the discord, bypassing fuse is considered high, thus it is reported as high impact Conditions for the parent for this exploit: should be able to unwrap: no CANNOTUNWRAP fuse on the parent node...
Users can skirt fuses on subnodes
Lines of code Vulnerability details Impact If users are granted subnode ownership through setSubnodeRecord or setSubnodeOwner in NameWrapper.sol, and that node is owned by the NameWrapper contract in the ENS registry and the unwrap fuse is not set, then attackers can reset flags and do whatever...
It is possible to create fake ERC1155 NameWrapper token for subdomain, which is not owned by NameWrapper
Lines of code Vulnerability details Impact Due to re-entrancy possibility in NameWrapper.transferAndBurnFuses called from setSubnodeOwner and setSubnodeRecord, it is possible to do some stuff in onERC1155Received right after transfer but before new owner and new fuses are set. This makes it...