Potential scam/hack: gifting an ENS name with a malicious custom resolver

I had a thought about this potential vulnerability this morning for gifted/donated names. It’s a sophisticated attack, but I do think it may be possible:

In the same way that it’s possible to visually spoof ENS names with similar looking characters, a custom resolver may be able to spoof a text record that says “address” in the app when the real eth address record is hidden, or there’s something in the resolver that redirects funds to a different wallet instead. Even more malicious if it waits to trigger until a large enough amount is sent to or from.

If spoofing the visual appearance of a text record, making a text record field invisible or otherwise tampering with where an address points is possible using a custom resolver, I feel like there should be some pretty big alerts in the app that the address has a custom resolver set, possibly even an alert on Etherscan for the address, since it’s a detail of an address that even advanced users may not pay attention to.


Interesting. This is just theory? No Proof of concept?

Unfortunately I don’t have the programming skills to spin up a custom resolver to test this. However once something like this this is out in the wild, it would probably be fairly trivial to clone someone elses malicious resolver and just edit in a new scam address.

To future proof any unforseen creativity here though, I just recommend a big :warning: wherever possible when detecting a custom resolver, the same way Metamask calls out similar-looking alphabetic characters.

1 Like