Closed code423n4 closed 1 year ago
thereksfour marked the issue as primary issue
Arachnid marked the issue as sponsor disputed
This is by design; locking is intended to be an irrevocable process. It's only available to the root, not to TLD owners.
dmvt marked the issue as unsatisfactory: Invalid
feature, not bug
Lines of code
https://github.com/code-423n4/2023-04-ens/blob/main/contracts/dnsregistrar/DNSRegistrar.sol#L187-L190 https://github.com/code-423n4/2023-04-ens/blob/main/contracts/root/Root.sol#L22-L28 https://github.com/code-423n4/2023-04-ens/blob/main/contracts/root/Root.sol#L34-L37
Vulnerability details
Proof of Concept
When claiming a domain in
DNSRegistrar.sol
(either throughproveAndClaim()
orproveAndClaimWithResolver()
), the internal function_enableNode()
will be called. The snippet bellow shows that whenowner == address(0)
orowner == previousRegistrar
andparentNode == bytes(0)
. theRoot.sol
contract will be called by callingroot.setSubnodeOwner(label, address(this))
.https://github.com/code-423n4/2023-04-ens/blob/main/contracts/dnsregistrar/DNSRegistrar.sol#L187-L190
And we can see that
Root.sol
will check if the label is not locked.https://github.com/code-423n4/2023-04-ens/blob/main/contracts/root/Root.sol#L22-L28
The issue is that there's only one function to toggle the lock to true, and there's no method currently on unlock a label.
https://github.com/code-423n4/2023-04-ens/blob/main/contracts/root/Root.sol#L34-L37
Impact
There are two scenarios where not being able to unlock a label becomes a problem.
Either one of these two scenarios are irreversible and can prevent particular domains of being claimed forever. Not being able to claim a DNS domain indefinitely would damage the ENS system.
Although
Root.sol
is not in scope for this contest, since it's called byDNSRegistrar.sol
(in scope), locking a label will impact functionalities related to the logic in scope.Tools Used
Manual review
Recommended Mitigation Steps
Add a function to allow setting the locked mapping to false in
Root.sol
, e.g.