We were recently made aware of a security vulnerability in the .eth registrar controller, which would allow a malicious DAO update to appoint a registrar controller contract that shortens the duration of already-registered .eth names. This violates an intended invariant of the ENS system, which states that .eth registrations cannot be shortened once they are created.
The scope of this vulnerability is limited insofar as it would require DAO coordination to exploit it, and once implemented, the registration duration can only be reduced by 90 days per contract call. Still, this could be utilised to deliberately cause the targeted expiration of unwanted names.
The Ecosystem WG stewards have agreed to award a bounty of $100,000 from the bounty pool to the discoverer of this vulnerability.
The task before the DAO now, and which I would like input on, is whether and how we should mitigate this vulnerability. We have published a security advisory on GitHub detailing the vulnerabilty and including code that will eliminate it.
The mitigation code works by appointing a new ‘admin’ contract as the owner of the .eth registrar and the name wrapper, which passes through most admin commands. New registrar controllers, however, will have to be appointed via a dynamically created proxy contract that properly enforces the invariant that registration durations will not be reduced.
The consequence of implementing this mitigation is that all registrations and renewals that take place on new controllers deployed after the mitigation will consume additional gas - on the order of an additional 3250 gas. It also adds some complexity to the code path and deployment process of ENS. Registrations via existing controllers will not be affected, as they are known safe and can be grandfathered in.
A similar vulnerability has been discovered in the name wrapper, which would permit the DAO to appoint a malicious upgrade contract; if approved the upgrade contract could seize control of wrapped names, even if the user does not choose to upgrade the name. The mitigation contracts also mitigate this vulnerability.
I would welcome insight from the DAO as to whether we consider the cost of patching this vulnerability worthwhile, and if so whether the approach taken in the proposed patch is the correct one.