Full Report
ENS stores domains. Once it's been registered, there is a metadata service that is offchain and written in JS/TS. This is done with the following steps: Register the name Emit an event of NameRegistered The ENS metadata service The metadata service passes the event info to Subgraph. When the JS/TS is parsing the string, it sees 0x00 has a nullbyte and terminates the string. By registering a name with a nullbyte at the end, it won't be a duplicate but it can be an arbitrary string in subgraph! This is a pretty neat vulnerability! The combining of systems creating terrible and unexpected vulnerabilities.
Analysis Summary
# Vulnerability: ENS Metadata Service Null-Byte Name Spoofing
## CVE Details
- **CVE ID:** Not Assigned (Identified via Bug Bounty)
- **CVSS Score:** Estimated 7.5 (High)
- **CWE:** CWE-170: Improper Null Termination, CWE-451: User Interface Misrepresentation of Critical Information
## Affected Systems
- **Products:** Ethereum Name Service (ENS) Off-chain Infrastructure
- **Versions:** Systems operational prior to April 5, 2022.
- **Configurations:** The JS/TS-based ENS Metadata Service and the ENS Subgraph.
## Vulnerability Description
The vulnerability stems from an inconsistency in how different systems handle string termination. When a user registers an ENS name, the smart contract emits a `NameRegistered` event. This event includes the raw registration string.
The ENS Metadata Service (written in JavaScript/TypeScript) and the Subgraph consume these events. However, because JS/TS interprets the `0x00` (null-byte) character as a string terminator, any characters following the null-byte were discarded during processing. By registering a name like `example.eth\0`, the on-chain Keccak-256 hash remained unique (due to the extra byte), but the metadata service rendered the name simply as `example.eth`.
## Exploitation
- **Status:** PoC created; reported via Bug Bounty. No documented malicious exploitation in the wild.
- **Complexity:** Low
- **Attack Vector:** Network (On-chain transaction)
## Impact
- **Confidentiality:** None
- **Integrity:** High (Metadata integrity is compromised)
- **Availability:** Low (Potential database unique constraint conflicts)
- **Summary:** An attacker could "clone" existing high-value ENS names in the metadata layer. This could be used to facilitate phishing or fraud on NFT marketplaces (like OpenSea or LooksRare) that rely on the metadata service to display the name, making a fake asset appear identical to an authentic one.
## Remediation
### Patches
- **ENS Metadata Service:** A patch was rolled out immediately following the April 5, 2022 report to properly handle or sanitize null-bytes in string parsing.
- **Subgraph:** Updated to ensure identical string clones do not overwrite or spoof legitimate entries.
### Workarounds
- **Manual Verification:** Users were advised to verify the original "Mint Date" of a name; the earliest registration date indicates the authentic version.
## Detection
- **Indicators of Compromise:** ENS names containing `0x00` suffixes in registry events.
- **Detection Methods:** Audit of the ENS Subgraph for names that appear identical but possess different underlying labels/hashes. Monitoring for database errors related to "Unique" column constraints (as noted by third-party database maintainers during the event).
## References
- **Twitter Thread:** hxxps://twitter[.]com/lcfr_eth/status/1516255490589827072
- **ENS Bug Bounty Announcement:** hxxps://twitter[.]com/ENS_DAO/status/1516140000000000000
- **Researcher Profile:** hxxps://github[.]com/lcfr-eth/