Platform: Code4rena
Start Date: 14/04/2023
End Date: 28/04/2023
Period: 14 days
Status: Completed
Pot Size: $90,500 USDC
Participants: 59
Reporter: liveactionllama
Judge: LSDan
Id: 232
League: ETH
Automated findings output for the contest can be found here* within an hour of contest opening.
Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.
*The original gist link was discovered to no longer be accessible, so it has been replaced with a new working link as of December 14, 2023.
ENS is a decentralised naming service built on top of Ethereum, and designed to resolve a wide array of resources including blockchain addresses, decentralised content, and user profile information.
Developer documentation can be found here.
Information on existing ENS deployments can be found here.
rm -Rf 2023-04-ens || true && git clone https://github.com/code-423n4/2023-04-ens.git -j8 --recurse-submodules && cd 2023-04-ens && nvm use 18.0 && yarn && REPORT_GAS=true yarn test
git clone https://github.com/code-423n4/2022-11-ens cd 2022-11-ens yarn
yarn test
| Contract | SLOC | Purpose | Libraries used |
|---|---|---|---|
| contracts/dnsregistrar/DNSClaimChecker.sol | 61 | Uses the DNSSEC oracle to verify DNS name claims | |
| contracts/dnsregistrar/OffchainDNSResolver.sol | 190 | CCIP-read resolver contract to handle gasless DNS name resolution | ERC165 |
| contracts/dnsregistrar/RecordParser.sol | 30 | Parses space delimited key-value strings from DNS TXT records | |
| contracts/dnsregistrar/DNSRegistrar.sol | 165 | DNS registrar contract; permits registering DNS names in ENS, using the DNSSEC oracle | ERC165 |
| contracts/dnssec-oracle/BytesUtils.sol | 243 | Byte string manipulation utils | |
| contracts/dnssec-oracle/RRUtils.sol | 308 | DNS Resource-Record (RR) parsing utils | |
| contracts/dnssec-oracle/algorithms/RSASHA1Algorithm.sol | 35 | Implementation of the DNSSEC RSASHA1 algorithm | |
| contracts/dnssec-oracle/algorithms/EllipticCurve.sol | 283 | Implementation of ECDSA in Solidity | |
| contracts/dnssec-oracle/algorithms/P256SHA256Algorithm.sol | 31 | Implementation of the DNSSEC P256SHA256 algorithm | |
| contracts/dnssec-oracle/algorithms/ModexpPrecompile.sol | 28 | Utility contract for using the modexp/RSA precompile | |
| contracts/dnssec-oracle/algorithms/RSASHA256Algorithm.sol | 34 | Implementation of the DNSSEC RSASHA256 algorithm | |
| contracts/dnssec-oracle/algorithms/RSAVerify.sol | 12 | RSA signature verification | |
| contracts/dnssec-oracle/digests/SHA1Digest.sol | 16 | Implementation of the DNSSEC SHA1 digest | |
| contracts/dnssec-oracle/digests/SHA256Digest.sol | 13 | Implementation of the DNSSEC SHA256 digest | |
| contracts/dnssec-oracle/DNSSECImpl.sol | 258 | A stateless DNSSEC oracle | |
| contracts/dnssec-oracle/SHA1.sol | 218 | Implementation of the SHA1 hash function in Solidity | |
| contracts/utils/NameEncoder.sol | 43 | Converts names from dot-separated to DNS binary format | |
| contracts/utils/HexUtils.sol | 54 | Parses hex strings into bytes32 |
All files not listed above
We implement userspace versions of SHA1 and SECP256p1. SHA1 is required for some DNSSEC zones; we don't choose the hash, the zone owner does. SECP256p1 is likewise used in many zones, including those hosted by cloudflare.
The offchain DNS resolver uses EIP 3668 (CCIP-Read) and ENSIP-10 to support gasless DNS-based name resolution.
Slither does not work on this repository; we've reached out to the team in the past and nobody seems sure why not. If you find a workaround, please share it in the Discord.
- If you have a public code repo, please share it here: https://github.com/ensdomains/ens-contracts - How many contracts are in scope?: 21 - Total SLoC for these contracts?: 2103 - How many external imports are there?: 5 - How many separate interfaces and struct definitions are there for the contracts within scope?: 10 - Does most of your code generally use composition or inheritance?: Composition - How many external calls?: 0 - What is the overall line coverage percentage provided by your tests?: 90 - Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: false - Please describe required context: n/a - Does it use an oracle?: Others; DNS - Does the token conform to the ERC20 standard?: - Are there any novel or unique curve logic or mathematical models?: DNSSEC, SHA1 - Does it use a timelock function?: - Is it an NFT?: - Does it have an AMM?: - Is it a fork of a popular project?: false - Does it use rollups?: - Is it multi-chain?: - Does it use a side-chain?: false - Describe any specific areas you would like addressed. E.g. Please try to break XYZ.": Accuracy of DNSSEC implementation compared to the standard, any failures to check critical conditions.
Trust | 1/59 | $23,845.89 | 3 | 0 | 0 | 2 | 2 | - | 0 | 0 |
MalfurionWhitehat | 2/59 | $11,952.84 | 2 | 0 | 0 | 1 | 1 | Grade B | 0 | 0 |
Holmgren | 3/59 | $5,411.66 | 2 | 0 | 0 | 1 | 0 | - | 0 | 0 |
auditor0517 | 4/59 | $4,753.89 | 2 | 0 | 0 | 1 | 0 | Grade A | 0 | 0 |
chaduke | 5/59 | $3,622.13 | 4 | 0 | 0 | 3 | 0 | Grade B | 0 | 0 |
eierina | 6/59 | $2,532.10 | 3 | 0 | 0 | 2 | 0 | Grade A | 0 | 0 |
hihen | 7/59 | $2,463.53 | 2 | 0 | 0 | 2 | 0 | 0 | 0 | 0 |
nobody2018 | 8/59 | $2,361.87 | 2 | 0 | 0 | 2 | 0 | 0 | 0 | 0 |
SaharAP | 9/59 | $2,167.51 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
Lilyjjo | 10/59 | $1,667.31 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
Auditor per page