GHSA-RRXV-Q8M4-WCH3
Vulnerability from github – Published: 2023-08-01 19:48 – Updated: 2023-08-10 22:10Description
According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the expiration time of existing domains. However, a preliminary analysis suggests that an attacker-controlled controller may be able to reduce the expiration time of existing domains due to an integer overflow in the renew function.
The vulnerability resides in the following GitHub repository: https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171
The vulnerable line of code is:
require(
expiries[id] + duration + GRACE_PERIOD > duration + GRACE_PERIOD
); // Prevent future overflow
In this code snippet, the duration variable is user-supplied, making it possible to provide a value that would cause an overflow on both sides of the '>' expression, ultimately rendering the condition true. Specifically, when the duration is set to 2^256 - GRACE_PERIOD, the subsequent line expiries[id] += duration; also experiences an overflow, as expiries[id] is greater than GRACE_PERIOD. This results in the reduction of expiries[id] by GRACE_PERIOD. By repeatedly calling the renew function, an attacker could potentially force the expiration of an ENS record.
You can find the PoC included in the attached document. To execute the test, please use the following command:
forge test -vvv --match-contract RegistrarExploit --fork-url <alchemy_url>
Replace <alchemy_url> with your Alchemy API URL. This command will run the Foundry test file and demonstrate the potential vulnerability.
Impact
If successfully exploited, this vulnerability would enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves.
Currently, it would require a malicious DAO to exploit it. Nevertheless, any vulnerability present in the controllers could potentially render this issue exploitable in the future.
An additional concern is the possibility of renewal discounts. Should ENS decide to implement a system that offers unlimited .eth domains for a fixed fee in the future, the vulnerability could become exploitable by any user due to the reduced attack cost.
Patches
A mitigation is being developed.
Workarounds
As long as registration cost remains linear or superlinear based on registration duration, or limited to a reasonable maximum (eg, 1 million years), this vulnerability could only be exploited by a malicious DAO. The interim workaround is thus to take no action.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.0.21"
},
"package": {
"ecosystem": "npm",
"name": "@ensdomains/ens-contracts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38698"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-01T19:48:31Z",
"nvd_published_at": "2023-08-04T18:15:15Z",
"severity": "MODERATE"
},
"details": "### Description\nAccording to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the expiration time of existing domains. However, a preliminary analysis suggests that an attacker-controlled controller may be able to reduce the expiration time of existing domains due to an integer overflow in the renew function.\n\nThe vulnerability resides in the following GitHub repository: https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171 \n\nThe vulnerable line of code is:\n```js\nrequire(\n expiries[id] + duration + GRACE_PERIOD \u003e duration + GRACE_PERIOD\n ); // Prevent future overflow\n```\n\nIn this code snippet, the `duration` variable is user-supplied, making it possible to provide a value that would cause an overflow on both sides of the \u0027\u003e\u0027 expression, ultimately rendering the condition true. Specifically, when the duration is set to `2^256 - GRACE_PERIOD`, the subsequent line `expiries[id] += duration;` also experiences an overflow, as `expiries[id]` is greater than `GRACE_PERIOD`. This results in the reduction of `expiries[id]` by `GRACE_PERIOD`. By repeatedly calling the renew function, an attacker could potentially force the expiration of an ENS record.\n\nYou can find the PoC included in the attached document. To execute the test, please use the following command:\n```\nforge test -vvv --match-contract RegistrarExploit --fork-url \u003calchemy_url\u003e\n```\n\nReplace `\u003calchemy_url\u003e` with your Alchemy API URL. This command will run the Foundry test file and demonstrate the potential vulnerability.\n\n### Impact\nIf successfully exploited, this vulnerability would enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves.\n\nCurrently, it would require a malicious DAO to exploit it. Nevertheless, any vulnerability present in the controllers could potentially render this issue exploitable in the future.\n\nAn additional concern is the possibility of renewal discounts. Should ENS decide to implement a system that offers unlimited .eth domains for a fixed fee in the future, the vulnerability could become exploitable by any user due to the reduced attack cost.\n\n### Patches\nA mitigation is being developed.\n\n### Workarounds\nAs long as registration cost remains linear or superlinear based on registration duration, or limited to a reasonable maximum (eg, 1 million years), this vulnerability could only be exploited by a malicious DAO. The interim workaround is thus to take no action.\n",
"id": "GHSA-rrxv-q8m4-wch3",
"modified": "2023-08-10T22:10:22Z",
"published": "2023-08-01T19:48:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-rrxv-q8m4-wch3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38698"
},
{
"type": "WEB",
"url": "https://github.com/ensdomains/ens-contracts/commit/e6b136e979084de3761c125142620304173990ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/ensdomains/ens-contracts"
},
{
"type": "WEB",
"url": "https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": ".eth registrar controller can shorten the duration of registered names"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.