search

code-423n4 / 2022-07-ens-findings

0 stars 0 forks source link

Trust Anchors cannot be added/removed inactivated post deployment #219

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-ens/blob/ff6e59b9415d0ead7daf31c2ed06e86d9061ae22/contracts/dnssec-oracle/DNSSECImpl.sol#L49

Vulnerability details

Impact

Trust anchors are specified during deployment of the DNS oracle and no functionality is provided to add, update or deactivate trust anchors. If the DNS root server keys are changed for whatever reason (planned roll over, new keys added or compromised) there is no other way to update the DNS oracle than to deploy a new one and change the ENS registry (if this functionality will be provided in the new DNS registrar, which is unclear as it out of scope).

Proof of Concept

NA

Tools Used

NA

Recommended Mitigation Steps

Add functionality to remove and add trust anchors when needed. If this is by design the anchors can be set to immutable.

makoto commented 2 years ago

Duplicate to https://github.com/code-423n4/2022-07-ens-findings/issues/34

dmvt commented 2 years ago

See comments on #60. This is not a duplicate of #34. Downgraded to QA.