Urgent fix needed to the core design of ENS registrations

Hello,

I am posting in the interest of strengthening and preserving ENS as a useful and lasting naming system. Right now the design surrounding extension of name registrations is inherently broken and a risk for ENS’ continued success.

We have implemented registration fees and time limited registration periods in the interest of making the names less possible to hoard and for them to be available for those that need them when the original user lets them expire (instead of them sitting in a wallet forever). This is excellent because it optimizes for usability and accessibility of names to participants that need them the most.

When it comes to extending the already registered names here is where the vital flaw presents itself: Being able to extend the period from any wallet instead of just the registrant wallet leaves ENS open to exploitation and foul play

Being able to extend the registration from any wallet is fundamentally a quality of life feature but it must go in order to stop malicious actors from preventing victims from ever getting the names they need. Otherwise the antagonist can achieve this by extending the registrations of names indefinitely as described in this Twitter thread:

TLDR: The feature that lets any random wallet extend a registration instead of just the registrant goes against the core design philosophy of ENS and it must be changed in order to protect the future viability of our naming system!

2 Likes

Didn’t understand what the point was

It goes both ways. It can also save your name if you lose access to the Registrant account, or accidentally send it to an unrecoverable contract address or something like that. As long as you keep the name registration extended, then at least you’ll never have to worry about the name ever being released, so you can still use the name (and update records, if you have access to the Controller).

This will be especially important with regards to the upcoming NameWrapper contract, where all names (and subdomains) will be able to be wrapped into fully-fledged ERC-1155 NFTs. By “burning fuses” you can guarantee that the owner of the parent domain cannot delete/replace any issued subdomains, giving assurance to all of your subdomain holders. The one case where those fuses can get reset is if the parent domain is expired and then re-registered though. What if the parent domain owner never renews? Maybe they go AWOL, or maybe they lost access to the Registrant account, etc. Now we’re not talking about the potential loss of just one ENS name, but also all of the issued subdomain NFTs underneath it.

However, since any account can extend any domain, the holders of the subdomains can ensure that their subdomain NFTs are never “rugged” by keeping the parent domain registration extended.

This was an intentional design, and does not “go against the core design philosophy of ENS” in my opinion.

2 Likes

That’s right.

My opinion is that we should value preventing sabotage within the ENS higher than giving users that make mistakes the ability to keep renewing from a different wallet, instead of having to reregister the name when it expires. The consequences of doing hostile name terminations are much more severe than names having to be bought again if you mess up.

I feel strongly that this could be very harmful and cause a lot of controversy if we don’t take the risk seriously.

I was given a good suggestion from nullpointer.eth that solves the issue you are describing:

"One can simply add an alternative wallet/whitelist of maintenance addresses (in records section) which can renew the ens. This ensures flexibility of maintenance through multiple addresses but no adversarial “kicking the can down the road”

By having whitelisted addresses that may extend the registration you could protect against sabotage of the namespace while also granting control to all parties that need to have it (or extra addresses for yourself). Just include all subdomain holders in the whitelist and the problem is solved.

1 Like

Personally I view anyone being able to renew a name as a feature; it allows people to ensure that third-party names will not expire if they depend on them. There are a number of names that have been deliberately burned; if we enforced that only the registrant or their nominees could renew now, those names would potentially lapse even if that’s not desired.

3 Likes

Thanks for responding to this pressing issue, Nick.

That is what I expressed in my initial post:
“Being able to extend the registration from any wallet is fundamentally a quality of life feature”

What I don’t understand is why you both seems so intent on prioritizing making sure that a few edge cases of protecting names from expiry higher than prohibiting sabotage and destruction of the namespace? To me it is protecting the past at the cost of our future.

I don’t feel so strongly about this for any selfish reason. I genuinely fear for the health of ENS because of this feature.

Both situations are edge-cases - and “sabotaging” by renewing a name you don’t own is fairly unlikely, but we have several known cases of names that have been deliberately set up and then burned in order to be trustless, and disabling this behaviour would be a fundamental step back in ENS’s usability.

Did you read the Twitter thread I posted and considered the implications? I am trying to say that it could be used as a weapon to hurt your competitors in business.

Yes, I did, and I appreciate the thought you put into it.

Disabling renewal-by-anyone won’t help with this, though; someone wanting to use it as a weapon can register the name themselves and extend it for a long period, then either sit on it or burn it then. You can also write a contract that holds names and allows anyone to renew them, and send names there.

2 Likes

Yes, I recognize that risks remain even with my solution. But all the most well known names are already registered by now and thus just registering them can only be done in some of the cases. I didn’t quite understand your last sentence, wouldn’t sending them to an address where anyone may renew virtually be the same as just renewing if you are the registrant?

Either one would allow you to keep the name out of someone else’s hands, yes.

2 Likes

I must say I disagree. This is a feature, not a bug. Also, I think you misunderstand the difference between registration and control. Extending the registration of a domain does not prevent transfer of control/ownership. If this were the case, then we could never sell any of our domains while we own them, which is a catch 22.