CVE-2023-38698

Name of the Vulnerable Software and Affected Versions Ethereum Name Service (ENS) versions prior to 0.0.22

Description The issue is related to an integer overflow in the renew function, which could allow an attacker-controlled controller to reduce the expiration time of existing domains. This could enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves. Currently, it would require a malicious DAO to exploit it. Nevertheless, any vulnerability present in the controllers could potentially render this issue exploitable in the future. An additional concern is the possibility of renewal discounts, which could make the vulnerability exploitable by any user due to reduced attack cost.

Recommendations As long as registration cost remains linear or superlinear based on registration duration, or limited to a reasonable maximum, this vulnerability could only be exploited by a malicious DAO. The recommended action is to update to version 0.0.22 or later, which contains a patch for this issue. For versions prior to 0.0.22, the interim workaround is to take no action, as the vulnerability could only be exploited by a malicious DAO.