UsernameRegistrar.release(bytes32) uses a low level call with user-controlled _label

ghost commented 4 years ago

UsernameRegistrar.release(bytes32) uses a low level to a input-controlled function id newOwner.call.gas(80000)(abi.encodeWithSelector(this.dropUsername.selector,_label))

Crytic again suggests: "Avoid low-level call. Consider using a whitelist of function ids to call" because the _label argument is user-controlled which is the expected functionality (call is invoked on newOwner which is not user-controlled).

Reporting it here just because it's a medium severity and so deserves a look by others. @3esmit @0kok0

3esmit commented 4 years ago

Requires solidity <0.6.0, to use try catch instead of manually decoding return success.

3esmit commented 4 years ago

See https://solidity.readthedocs.io/en/v0.6.2/control-structures.html#try-catch

3esmit commented 4 years ago

Fixed by #119

status-im / ens-usernames

UsernameRegistrar.release(bytes32) uses a low level call with user-controlled _label #114