Summary
.eth registrar controller can shorten the duration of registered names
Description
According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the expiration time of existing domains. However, a preliminary analysis suggests that an attacker-controlled controller may be able to reduce the expiration time of existing domains due to an integer overflow in the renew function.
The vulnerability resides in the following GitHub repository: https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171
The vulnerable line of code is:
require(
expiries[id] + duration + GRACE_PERIOD > duration + GRACE_PERIOD
); // Prevent future overflow
In this code snippet, the duration variable is user-supplied, making it possible to provide a value that would cause an overflow on both sides of the '>' expression, ultimately rendering the condition true. Specifically, when the duration is set to 2^256 - GRACE_PERIOD, the subsequent line expiries[id] += duration; also experiences an overflow, as expiries[id] is greater than GRACE_PERIOD. This results in the reduction of expiries[id] by GRACE_PERIOD. By repeatedly calling the renew function, an attacker could potentially force the expiration of an ENS record.
You can find the PoC included in the attached document. To execute the test, please use the following command:
forge test -vvv --match-contract RegistrarExploit --fork-url <alchemy_url>
Replace <alchemy_url> with your Alchemy API URL. This command will run the Foundry test file and demonstrate the potential vulnerability.
Workarounds
As long as registration cost remains linear or superlinear based on registration duration, or limited to a reasonable maximum (eg, 1 million years), this vulnerability could only be exploited by a malicious DAO. The interim workaround is thus to take no action.
Impact
If successfully exploited, this vulnerability would enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves.
Currently, it would require a malicious DAO to exploit it. Nevertheless, any vulnerability present in the controllers could potentially render this issue exploitable in the future.
An additional concern is the possibility of renewal discounts. Should ENS decide to implement a system that offers unlimited .eth domains for a fixed fee in the future, the vulnerability could become exploitable by any user due to the reduced attack cost.
An arithmetic operation produces a value that exceeds the integer type's maximum, causing it to wrap to an unexpected small value. Typical impact: incorrect size calculations leading to heap overflows or logic errors.
CVE-2023-38698 has a CVSS score of 4.9 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.22); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
A mitigation is being developed.
Frequently Asked Questions
- What is CVE-2023-38698? CVE-2023-38698 is a medium-severity integer overflow or wraparound vulnerability in @ensdomains/ens-contracts (npm), affecting versions <= 0.0.21. It is fixed in 0.0.22. An arithmetic operation produces a value that exceeds the integer type's maximum, causing it to wrap to an unexpected small value.
- How severe is CVE-2023-38698? CVE-2023-38698 has a CVSS score of 4.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @ensdomains/ens-contracts are affected by CVE-2023-38698? @ensdomains/ens-contracts (npm) versions <= 0.0.21 is affected.
- Is there a fix for CVE-2023-38698? Yes. CVE-2023-38698 is fixed in 0.0.22. Upgrade to this version or later.
- Is CVE-2023-38698 exploitable, and should I be worried? Whether CVE-2023-38698 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2023-38698 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2023-38698? Upgrade
@ensdomains/ens-contractsto 0.0.22 or later.