Platform: Code4rena
Start Date: 12/07/2022
End Date: 19/07/2022
Period: 7 days
Status: Completed
Pot Size: $75,000 USDC
Participants: 100
Reporter: liveactionllama
Judge: LSDan
Id: 145
League: ETH
PwnedNoMore | 1/100 | $18,700.42 | 5 | 2 | 1 | 2 | 1 | - | 0 | 0 |
zzzitron | 2/100 | $11,088.16 | 6 | 1 | 0 | 4 | 2 | - | 0 | 0 |
panprog | 3/100 | $8,671.28 | 4 | 2 | 0 | 2 | 1 | 0 | 0 | 0 |
GimelSec | 4/100 | $4,497.99 | 7 | 0 | 0 | 5 | 0 | - | - | 0 |
0x52 | 5/100 | $3,471.22 | 1 | 0 | 0 | 1 | 1 | 0 | 0 | 0 |
alan724 | 6/100 | $2,588.30 | 4 | 0 | 0 | 3 | 0 | - | 0 | 0 |
csanuragjain | 7/100 | $2,583.61 | 4 | 0 | 0 | 3 | 0 | - | 0 | 0 |
0x1f8b | 8/100 | $1,709.39 | 3 | 0 | 0 | 1 | 0 | - | - | 0 |
wastewa | 9/100 | $1,594.22 | 2 | 1 | 0 | 1 | 0 | 0 | 0 | 0 |
Aussie_Battlers | 10/100 | $1,263.53 | 4 | 1 | 0 | 1 | 0 | - | - | 0 |
Auditor per page
ENS is a decentralised naming service built on top of Ethereum, and designed to resolve a wide array of resources including blockchain addresses, decentralised content, and user profile information.
Developer documentation can be found here.
Information on existing ENS deployments can be found here.
git clone https://github.com/code-423n4/2022-07-ens cd 2022-07-ens yarn
yarn test
Note: Not all contracts in this repository are in-scope for this audit! We have included contracts from the original ens-contracts repo that are dependencies of in-scope contracts here for the convenience of auditors. Only the contracts listed below are in-scope.
This audit is intended to cover several new and upgraded components of the ENS system:
SLOC: 164
Contains assorted utility functions for manipulating byte strings.
SLOC: 183
An implementation of a DNSSEC client as per RFC4034 & RFC4035. verifyRRSet should return the RRData for the last record in the array of signed RRSets passed in, iff the set of records passes DNSSEC validation from the root. If validation fails, it should revert.
Dependencies:
SLOC: 215
Utility functions for reading DNS RRSets.
Dependencies:
SLOC: 82
A solidity/yul implementation of SHA1.
SLOC: 21
A simple ownable/owned interface.
SLOC: 11
A public interface for DNSSECImpl.sol.
SLOC: 3
Public interface for DNSSEC (public key) algorithim implementations.
SLOC: 3
Public interface for DNSSEC digest (hash function) implementations.
SLOC: 240
The ETHRegistrarController governs how ENS names are registered and renewed. This contract has been modified since the deployed version to add:
Dependencies:
SLOC: 4
Public interface for ETHRegistrarController.
SLOC: 25
String manipulation functions used by ETHRegistrarController.sol.
SLOC: 18
Interface for the BaseRegistrarImplementation (not in scope).
SLOC: 112
Allows users to register and update reverse records (primary ENS names). This contract has been modified since the deployed version with a number of improvements:
Dependencies:`
SLOC: 3
Public interface for ReverseRegistrar.sol.
SLOC: 27
Contains assorted utility functions for manipulating byte strings.
SLOC: 279
An implementation of ERC1155 that only supports 1 token per token type, with the owner, fuse/flag information, and an expiration time all packed into a single storage slot for gas-efficiency. Should conform to ERC1155, with the addition of ownerOf.
Dependencies:
SLOC: 657
A contract that wraps ENS names, providing additional functionality:
The primary reason for this wrapper is the 'fuse' functionality for revoking permissions over names; this is intended to support applications such as trustless subdomain issuance, and trustless name resolution. The intended security/permission model is as follows:
CANNOT_UNWRAP, CANNOT_BURN_FUSES, CANNOT_TRANSFER, CANNOT_SET_RESOLVER, CANNOT_SET_TTL, CANNOT_CREATE_SUBDOMAIN, and PARENT_CANNOT_CONTROL.CANNOT_UNWRAP fuse is burned, the expiration timestamp can only ever be increased, not decreased.CANNOT_UNWRAP is burned, the only fuse that can be burned is PARENT_CANNOT_CONTROL.CANNOT_BURN_FUSES is burned, the owner of a name can burn any fuse except PARENT_CANNOT_CONTROL.PARENT_CANNOT_CONTROL fuse is burned, the owner of the parent name can burn any fuse on that subdomain, including PARENT_CANNOT_CONTROL.getData on a name and checking that a. The expiration timestamp is in the future, and b. The required fuse is burned, should be sufficient to establish that that operation is not possible on that name through any sequence of operations prior to the expiration timestamp.Dependencies:
SLOC: 24
Public interface for NameWrapper.sol.
SLOC: 14
Mixin for a contract that can have controllers - other accounts that have access to privileged functions.
SLOC: 3
Interface for a metadata service - a contract that returns token metadata for a wrapped token.
*** INameWrapperUpgrade.sol SLOC: 3
Interface for an upgrade target for the name wrapper - a new version of the wrapper.
SLOC: 12
Interface for the ENS registry contract.
SLOC: 29
Generic interface for ENS resolver contracts.