Back to 0xTheC0der's contests

ENS Contest - 0xTheC0der's results

Decentralised naming for web3

General Information

Platform: Code4rena

Start Date: 14/04/2023

Pot Size: $90,500 USDC

Total HM: 7

Participants: 59

Period: 14 days

Judge: LSDan

Total Solo HM: 3

Id: 232

League: ETH

ENS

Findings Distribution

Researcher Performance

Rank: 42/59

Findings: 1

Award: $59.79

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryENS

Findings Information

🌟 Selected for report: Sathish9098

Also found by: 0x73696d616f, 0xAgro, 0xSmartContract, 0xTheC0der, ABA, ArbitraryExecution, Aymen0909, BRONZEDISC, Bauchibred, Dyear, Eurovickk, IceBear, Jerry0x, Jorgect, Josiah, MalfurionWhitehat, MohammedRizwan, RaymondFam, Recep, Rickard, SAAJ, Shubham, Udsen, auditor0517, brgltd, catellatech, chaduke, codeslide, eierina, favelanky, j4ld1na, lukris02, matrix_0wl, naman1778, pontifex, schrodinger, tnevler, urataps

Awards

59.7928 USDC - $59.79

Labels

bug
grade-b
QA (Quality Assurance)
Q-29

External Links

Link to GitHub issue

Low 1: DNSRegistrar contract won't accept any proofs/claims after year 2106

Due to the inception and expiration fields of signed sets being 32-bit UNIX timestamps, see RRUtils.sol and also RFC4034, signature validation will fail after Feb 07 2106 because of inception and expiration timestamp checks. Therefore the DNSRegistrar contract won't accept any new proofs/claims after this date.
Moreover, upgrading the DNSRegistrar and related contracts to solve this in the future might lead to problems because inceptions of claimed domains are currently stored as uint32. Although DNSSEC uses 32-bit UNIX timestamps, I recommend to work with uint40 in the ENS-DNS contracts to be future-proof.

Non-critical 1: Consistent use of bytes20 instead of bytes32

In the verify() method of the SHA1Digest contract, the bytes20 return value of hash.readBytes20(0) is stored in a bytes32 variable just be compared to a bytes20 value again.

Use bytes20 consistenly:

diff --git a/contracts/dnssec-oracle/digests/SHA1Digest.sol b/contracts/dnssec-oracle/digests/SHA1Digest.sol
index 97e1247..63c1c94 100644
--- a/contracts/dnssec-oracle/digests/SHA1Digest.sol
+++ b/contracts/dnssec-oracle/digests/SHA1Digest.sol
@@ -15,7 +15,7 @@ contract SHA1Digest is Digest {
         bytes calldata hash
     ) external pure override returns (bool) {
         require(hash.length == 20, "Invalid sha1 hash length");
-        bytes32 expected = hash.readBytes20(0);
+        bytes20 expected = hash.readBytes20(0);
         bytes20 computed = SHA1.sha1(data);
         return expected == computed;
     }

Non-critical 2: Delete unused constants

Remove the unused constants CLASS_INET and TYPE_TXT from the DNSClaimChecker contract:

diff --git a/contracts/dnsregistrar/DNSClaimChecker.sol b/contracts/dnsregistrar/DNSClaimChecker.sol
index 54950d1..bd51694 100644
--- a/contracts/dnsregistrar/DNSClaimChecker.sol
+++ b/contracts/dnsregistrar/DNSClaimChecker.sol
@@ -13,9 +13,6 @@ library DNSClaimChecker {
     using RRUtils for *;
     using Buffer for Buffer.buffer;

-    uint16 constant CLASS_INET = 1;
-    uint16 constant TYPE_TXT = 16;
-
     function getOwnerAddress(
         bytes memory name,
         bytes memory data

#0 - c4-judge

2023-05-08T15:38:40Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter