Zero-width characters pose a security risk and existential threat to ENS

I agree with you on this one. If I wanted to copy paste I’d only use the address itself

if ENS is unwilling to change the smart contract, enforcement going forward at the client is one step in the right direction, but not sufficient for all of the already-acquired spoof domains. making ZWJ-domains un-routable at the network level might be a solution. and yes, putting more logic into the client will be complicated if you want to make it smart enough to allow bonafide ZWJ emojis but not “forged” ones, but it’s doable. regex anyone?

“making ZWJ-domains un-routable at the network level might be a solution”
Not sure what you mean here. ENS is is just smart contracts on Ethereum and resolution just means a client reading from the Ethereum blockchain, there isn’t any other routing.

“putting more logic into the client will be complicated if you want to make it smart enough to allow bonafide ZWJ emojis but not “forged” ones, but it’s doable.”
Clients can provide warnings (to allow people to still use something deemed suspicious if they are intentionally using it), and as I’ve said in fact some major ones already do, but it would be great if it was more widely used as I’ve said.

i really hope u are right

but i know that when i send eth to uniswap, yearn, etc im not typing in addresses it’s a button click and thats the direction its moving for UX

no name is aesthetically scarce with zero width joiners, just the opposite and they are all still functional with unlimited availability for what looks like the same name, i won’t be the only one that wants my money back

I don’t know about that, guys. most traffic is mobile now and I think people routinely use “click to copy” when presented with an address. I’ve never typed in a meaningless 42-character eth address - have you?

I’m still in favor of raising prices on domains containing ZWJ and other misleading characters. The 4-length pricing should discourage anyone maliciously buying these up and would also add value to the real ones being cheaper to renew.

Never but I used to triple check the address every single time

I don’t think paying an extra $145 for a spoofed commercial or professional domain name will deter scammers who aim to make $100,000+. fraud pays well.

good practice, me too, but joe public won’t do that and he’ll blame ENS when he sends his $$$ to a spoofed site

Maybe gracefully make them pay $145 for the next year then $640 for the years after. The latter for newly registered ones. At least we would see a decrease in this fraudulent trend I think.

In those cases you’re not using ENS. Unless I’m misunderstanding you?

Correct, and in those cases people aren’t using ENS. An advantage of ENS is that you can easily remember and type in your ENS name, no need to copy and paste a long crypto address.

Thanks for bringing this up.

To bring some clarity to the discussion:

• ENS uses UTS-46 normalisation, the same standard used by Punycode, to normalise names. This prohibits or strips most non-printable characters, as well as performing a bunch of other important normalisations.
• We’re not as restrictive as ICANN is for most gTLDs, because we think things like Emoji names are neat uses of ENS. Zero width joiners are used to compose certain emoji - such as woman + rocket => astronaut, which is probably why UTS-46 doesn’t strip them by default.
• The way ENS prohibits resolution of names that aren’t UTS-46 normalised is not at the smart contract level - baking the normalisation logic into a contract would be impractical - but rather by making it part of the client-side resolution process. If all clients use the same normalisation process, then names that aren’t normalised will never be resolved. You could still buy those names by interacting directly with the smart contract, but since no client will resolve them, the name has no value.
• We will look into making additions to the normalisation rules to prohibit the cases you’ve identified, without making existing legitimate names un-resolvable.
• We don’t have any mechanism to revoke ENS names. We certainly wouldn’t refund registrants of names that were registered to be deceptively similar to other names, if the normalisation rules render them un-resolvable.

Completely agree. It’s like someone pays entrance fee to get into club/disco, try to scam people, get caught and kicked out. No bouncer will refund you the entrance fee.

Thats not what its like at all. Its more like a centralized authority saying, “it’s okay to buy this name, we have this name for sale and it works” and then making it not work and decided its not okay to have and keeping the money.

This scenario of refunds was being discussed within the context of retroactively making zerowidth domains unresolvable. It would be exactly like selling a working product to somebody and then making it not work and keeping their money they spent. Maybe somebody bought a name they wanted personally using zero width or some non ascii bc they really wanted it to look like that bc they were just a big fan of the name, you don’t know.

And who are you, other than part of central command structure, to decide who is buying domains to scam people width zero width etc and who is buying with text art, you have the blinders on. If you didn’t refund people in this scenario who is to say there won’t be some other decision in the future where we have to divert to your wise judgement on whether or not its moral to refund somebodys money you accepted on account of your own teams short sightedness early on in the project with this very issue? It sets a precedent and doesn’t look good.

The refunds were only brought up within the context of making domains unresolvable, which it looks like won’t happen anyways because its too expensive to fix the contract now and the problem is being pushed onto the wallet providers etc.

Edit: I see now that making names unresolvable is client side. any name sold that was resolvable and money ens profited by selling a working name should be refunded if they later make it unresolvable.

I personally don’t own any “scam” domains meant to spoof except maybe vitalik.eth but that’s really more of a collectible name, I still want to see all names refunded that were sold and made retroactively unresolvable

btc.eth
link.eth
dcl.eth
dot.eth
uni.eth
xrp.eth

Just this small sample is available in unlimited quantity and functional. Only the ones without zero width cost big premiums on top of renewal. All of the zero width versions (virtually unlimited) are way cheaper and look the exact same and function the same.

It’s like ens is selling Louis Vuitton bags AND the knock offs

It looks bad

Why would you want to refund fraudsters (assumimg most non-emoji zwj names were registered with bad intentions) when the same money could go into marketing or partnerships for example?

The LV knock-off analogy you provided is inaccurate here I think. If the police caught you with a van full of fakes you’d either get sentenced, pay a huge fine or at the very least get the goods taken away from you.

Perhaps if you already got your one knock-off you would like to use it yes. But you shouldn’t be able to sell them to customers blind to see the difference.

So what could be a good solution that is not client-side to stop the aftermarket of these domains?

Because I don’t think non-transferability in itself would be possible for the erc standard utilized here.
Nor is it possible to just set all Registrant To a burn address (0x0) I think but in that theoretical case you could still renew and use existing records as is without being able to sell. And it would of course also ruin the point of self-custody in decentralization as a whole.

So we are basically left with partial client-side fixes and resolver / pricing updates.
No refund for fakes is my take on this.

Every 3 and 4 letter crypto name
Every celebrity name
Everything popular and unique

All of these have fans and ppl promised exclusivity aesthetically. This was the justification for premium prices. And all of them have nothing unique about them anymore as far as availability goes and they are all functional.

And the “van full of fakes” ens sold the fakes! This is lack of foresight and it’s a big deal. Ppl aren’t going to care if there a warning on metamask about non ascii characters, if a person really wants doge.eth or eth.eth but it’s taken they can just buy one of the limitless other doge.eth or eth.eth names available with zero width for way cheaper.

Like there are a handful of ppl compaining rn imagine when there is more adoption and even when more of the ppl who already have what they think are cool one of a kind names they paid premiums for find out they aren’t one of a kind

Not refunding assumed fraudsters is theft and makes ens look no better than real scammers like just fix it it’s been years and this is a time bomb

I see your point, indeed it could be a time bomb in its way. So you’re suggesting refunds and making them unresolvable at the same time am I right?

yes refunds for any name that is made unresolvable that was resolvable when initially purchased.

idk if they can just whitelist emojis as they come out and make all anything else that uses zero width unavailable. i think this would be best.

there are ppl using non ascii for text art and to make dongers out of eth names. imo the warnings ens has worked out with wallet providers would be sufficient for non ascii ‘clones’ as long as all zero width names were unresolvable minus some kind of emoji whitelist.

In those cases you’re not using ENS. Unless I’m misunderstanding you?

yes you are missing my point. uniswap is a contract address but i don’t have to click to copy or type the address in.

paypal and venmo for instance, i don’t have to type in my friends bank acct routing number to send them money, i look them up and click pay/send. web3 addresses used to send and receive payments will move towards having a clickable send/pay/buy button for the address just like when i interact with uniswap or yearn or any dapp.

in the future, when i have a list of web3 contacts that i interact with to send and receive money from friends and family to businesses, the ui won’t discern what is zero width joiners so you will have many clones that look exactly the same.

if im the worlds largest pizza chain and i want to start receiving payments in doge or btc or some erc20 token bc im forward thinking and i decide i want a triple pizza slices emoji .eth name so i buy it for 600+ dollars and think it’s unique or premium, well it’s not with zero width joiners. the front end ui will make any triple pizza slice emoji .eth ens name with zero width joiners look the same and ens promised otherwise and gave limited availability as a reason for premium pricing.

imo looking for solutions from wallet providers putting warnings on addresses seems like a temporary band aid.

the fix is to make all addresses using zero width joiners unresolvable, refund the money to anyone that bought a name using zero width, and maintain a whitelist of emojis that use joiners.

the zero width issue is bigger than the non ascii lookalike characters, but really why not just be done with it and make all non ascii names unresolvable and maintain a whitelist of emojis?