Try   HackMD

Research Summary: Ethereum Name Service: the Good, the Bad, and the Ugly

TLDR

  • Traditional domain names are controlled by centralised entities and possess several design flaws that make them less secure.
  • Although the Ethereum Name Service (ENS) offers blockchain based alternatives to traditional domain names, this study is the first targeted research on the service.
  • This large-scale study reveals that ENS is indeed popular with unique uses but still possesses a number of security risks that should be addressed by the community.

Core Research Question

What is the adoption level of ENS in the community and in what ways is it being used? What underlying security issues prevail in the system?

Citation

Xia, P., Wang, H., Yu, Z., Liu, X., Luo, X., & Xu, G. (2021). Ethereum name service: the good, the bad, and the ugly. arXiv preprint arXiv:2104.05185.
https://arxiv.org/pdf/2104.05185

Background

  • Domain Name: A domain name for a website can be likened to the address of a house. Domain names allow a website to be easily found and accessed by users and networks on the Internet. Examples include google.com and medium.com. Domain names were introduced as a user-friendly replacement to the Internet Protocol (IP) address.
  • Domain Name System (DNS): A network protocol that helps map domain names with network information such as IP addresses. Mapping is operated in a hierarchical manner with top-level domains like .com, .org, .edu, and several others.
  • Top-level domains (TLDs): The last part of a domain name represented after the dot. In the domain name google.com, .com is the TLD. They are managed by organisations such as the Internet Corporation for Assigned Names and Numbers (ICANN).
  • Second level domains (2LDs): The part of a domain name that comes before the TLD. In google.com, google is the 2LD.
  • Zooko’s Triangle: This triangle proposed by Zooko Wilcox-O’Hearn states three essential properties an ideal name system should possess. These include that a name system should be human-meaningful, secure, and decentralised. Zooko believed that a name system could not possess all three properties and must compromise on a third.
  • Blockchain Name Service (BNS): A blockchain based alternative to DNS that claims to be a solution to Zooko’s triangle. Early BNS models like Namecoin and Handshake seek to totally replace the traditional DNS.
  • Ethereum Name Service (ENS): A BNS model built on the Ethereum blockchain. ENS uses smart contracts to perform the function of traditional domain name registrars and map human readable names to machine-readable identifiers.
  • Resolver: A kind of smart contract that stores the mapping of domain names to records and is responsible for the actual process of translating names into Ethereum addresses. These records may also include content hashes and text records.
  • Registry: A single smart contract used to maintain a list of all the domains and subdomains on ENS. In this contract, three pieces of information about each of these domains are stored: the owner of the domain, the resolver for the domain, and the caching time-to-live for all records under the domain.
  • Registrar: Another smart contract on ENS that owns a name, and can automatically assign subdomain names to other users based on certain rules and conditions.
  • Labelhash: The output of the keccak-256 function applied to a label. A label is a single part of a domain name e.g In the bob.eth domain name, the labels would be bob or eth.
  • Namehash: A function that creates a fixed length 256-bit cryptographic hash for any complete human-readable domain name on ENS e.g bob.eth. The output of this function is referred to as a node hash (not to be confused with node client). ENS works with these node hashes to uniquely identify domain names on the system instead of human-readable names.
  • Content Hash: A unique hash identifier for content which can be obtained when files are uploaded to storage systems like the InterPlanetary File System (IPFS). ENS introduced this field for revolver contracts to map content to a specific domain name.
  • Text Record: Managed by the resolver, this field is used to attach any random data to an ENS name. This may include email addresses, URLs, social media profiles, description of the name owner, and any other metadata the user wishes to add.
  • Event Logs: Used to describe an event within a smart contract. In the case of ENS, this could be name registration, name expiry, subdomain name creation, and a variety of other activities carried out by the ENS smart contracts.
  • Geth: One of the three original implementations of the Ethereum protocol used for implementing a node. It is written in Go, fully open source and licensed.
  • Alexa: Top website popularity ranking site owned by Amazon. To be shut down by 1 May 2022.
  • Application Binary Interface (ABI): An ABI is a contract between pieces of binary code. It defines how functions would be called and how these unrelated code must work together.
  • Vickrey Auction: A type of auction in which the highest bidder pays the second highest bid for the item auctioned. It is also known as a sealed-bid second-price auction (SBSPA) because the bidders submit written bids and the bids of others are not shared publicly.
  • Permanent Registrar: Deals with the registration and annual rent payment of names over 6 characters in length. Was put in place on May 4th 2019.
  • Short Name Claim: The period in July 2019 when ENS allowed the reservation of .eth names with the length of 3 - 6 by persons who possessed eligible equivalents in the traditional DNS system.
  • Short Name Auction: The auction process conducted on OpenSea in September 2019 where ENS sold names using an English auction. The winning bid was the registration fee for the first year of the lifespan of the domain name.
  • The Great Renewal: The renewal period in August 2020 for all names registered during the Vickrey auction period.
  • Domain Squatting: Purchasing a domain name, usually a popular or generic one, to prevent others including the rightful owners from purchasing or profiting from its use.
  • Record Persistence: The maintenance of ENS name and subdomain name records even after the expiry of the name itself.

Summary

  • With its strength in immutability and decentralisation, blockchain technology has been applied to improve the traditional DNS. Some of these BNS solutions like Handshake, Namecoin, EmerDNS and UnstoppableDomains aim to totally replace DNS.
  • ENS, a BNS built on the Ethereum blockchain, is different because it seeks to complement and not replace the traditional DNS with its features. At the time of the writing of the paper, ENS had clocked four years since its launch but had no significant research done on its benefits, use, and security risks. This study aims to correct this.
  • ENS was launched in March 2017 but was shut down after two malfunctions were discovered in the code. It was relaunched in May that same year with 192,471 registered in the first 7 months using a Vickrey auction.
  • Darkmarket.eth was the most valuable name with a price of over 20,000ETH at the time. The winning bidder got the name at the second highest bid price while the losers would receive a refund of 0.5% less than their original bid deposits.
  • The Vickrey auction was replaced in 2019 with the permanent registrar and the registrar controller. Annual renewal fees for names with more than 6 characters started at $5 every year. The registrar controller introduced the possibility of delegating name management to another Ethereum address.
  • The short name claim period in July 2019 gave owners of traditional TLDs and 2LDs the opportunity to pay advance rent for ENS name equivalents or variants. Famous traditional websites like NBA and Ebay applied for .eth names during this period. Prices for names were adjusted to $640 for 3 character names, $160 for 4 character names, and $5 for 5 - 6 character names.
  • Names relating to popular brands like ‘apple’ and ‘google’ and names relating to terms like ‘sex’ and ‘porn’ received much attention during the short name auction on OpenSea in Septermber 2019.
  • Today, ENS has evolved and now shares similarities with traditional domain names. Prices for name registration and annual renewal are now dependent on the length of the name. Anyone can renew a name during the 90-day grace period after its expiration.
  • The most widespread use of ENS has been proven to be as an alternative to blockchain addresses. Other uses include to set content hashes, public key records, descriptions and text records.
  • There are obvious signs of domain squatting. These include explicit squatting by claiming names of known brands and typo-squatting.
  • Bad actors are also exploiting ENS for illegal and malicious purposes like linking to gambling websites, adult content, and scam activities.
  • Record persistence attacks also pose more security risks to users. ENS maintains records on names even after their expiry dates.
  • ENS shows a promising future but still needs to be properly studied and monitored.

Method

  • The authors employed a thorough tripartite quantitative approach to collect the primary dataset used for the research.
  • The first step was to collect from Etherscan all ENS official smart contracts related to name registration and name renewal which are the core functions of ENS. These contracts include registry contracts, resolver contracts, registrar contracts, registrar controller contracts and a short name claim contract.
  • Then, Geth was used to synchronise the Ethereum ledger and extract event logs. Each contract's ABI was fetched and used to decode the event logs. Through this, it was possible to get name-owner mappings, name resolver mappings from registry contracts, name records history from resolver contracts, and auction/registration history from registrar contracts. Extra open source revolvers were added with their event logs fetched and decoded based on their ABIs.
  • Last, the hash values of the ENS names were restored to readable names. This was done by first accessing the name-hash dictionary of ENS developers uploaded on Dune Analytics. Then the labelhashes of over 460,000 English words and Alexa’s top 100,000 domain list were compared to the hashes in the registry event logs to obtain their readable values.
  • Non-ETH addresses, content hashes, and text records were also decoded based on the rules in their ENS documentations; EIP-2304, EIP-1577, and EIP-634.
  • Data on the Short Name Auction was obtained by analysing the data shared by OpenSea in the ENS blog. This was because the auction was conducted on OpenSea and ENS contracts’ event logs did not have details of the auction.
  • As arbitrary text records are set in the form of key-value records with predefined keys, an analysis was performed on the keys of these text records without the empty values to obtain their content.
  • To check for explicit squatting, the labelhashes of each 2LD in the Alexa list was matched with its corresponding labelhash in an ENS name. The test is whether an Ethereum address has more than one famous brand’s domain name; if so, it must be a squatter as these brands are not owned by the same person.
  • To detect typosquatting, dnstwist, is used to generate typo-squatting variants of Alexa top 100,000 names. Dnstwist can create different typo-squatting variants through methods like addition, bitsquatting, homoglyphs, hyphenation, insertion, omission, repetition, replacement, transposition, vowel-swap, and various. All Alexa top 100,000 domains are imputed in dnstwist and the labelhashes of their 2LDs are calculated to check if the squatting names have been registered on ENS.
  • To check the possibility of bad actors exploiting ENS functionalities to deliver malicious or illegal web contents, all URLs obtained from the text records and content hashes are first uploaded to VirusTotal. Then, Eyewitness is used to get the screenshots and source codes of these websites.
  • This data is subsequently uploaded to Google Cloud Natural Language API and Vision API to check if the URLs contain censored content. Suspicious URLs are all manually inspected to reduce false positives.
  • To check if blockchain addresses stored in ENS are used for malicious purposes, a scam address list is compiled from sources like Etherscan, Bloxy, BitcoinAbuse, and CryptoScam. The list is then matched for similarities to get results.

Results

  • By employing the method above, the authors obtained ledger information up to block 10, 746, 639 (i.e., 2020-08-28 03:03:42 UTC) on Ethereum. Therefore, all results discussed were obtained in this time frame. A total of 2 million registry logs, 3.4 million registrar logs, 200 thousand resolver logs, and over 3, 000 transactions related to text records.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

  • Since the launch of ENS, 107,617 addresses have participated in the registration of 465, 827 ENS names. 183,000 of these names were still active at the time of the study. 2,254 traditional DNS names have also been integrated on ENS.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

  • Over 35% of active addresses own more than one ENS name. An address 0xbcbd4885ee8b2b74249c5ad9b8b668fb256a51b1 had registered up to 2,262 names including common words and names of famous brands.

  • ENS names with more than 6 characters are more popular due to the reduced costs of purchase. 54% of active names are those with 5 - 8 characters.

  • A total of 361,751 names were bid on during the Vickrey auction with 274,052 registered. 17,625 addresses took part in the auction with 45% of bids placed at 0.1ETH.

  • 7,670 names were sold for a total of 5,697ETH during the Short Name Auction. Decentraland went on ENS in February 2020. Over 12,000 subdomains were created from its own domain name.

  • Users are taking advantage of the ENS feature of assigning records to a name. 140,000 names have set records over 170,000 times. Most records contain blockchain addresses with Ethereum being the most preferred at 114, 542 setting records. BTC comes closely after with other variations like LTC, BNB, XRP, and BCH.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

  • Content hashes records were discovered in 5,300 names with 98% of them set for IPFS and Swarm. Text records are mainly used to store URLs. 50% of these URLs are set to subdomains of OpenSea.

  • Text records containing descriptions of the name, links to Twitter accounts, and customised key words were also found. There are 44 customised keywords in 214 record settings of ENS names.

  • 15,179 ENS .eth explicit squatting names controlled by 1,532 Ethereum addresses were found. The address topping the list of top 10 holders of these kinds of squatting names holds up to 933.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

  • 85% of the 3,775 squatting names set to records were set to blockchain address records. Ethereum tops the list with OpenSea links and IPFS websites following closely. Some addresses have transferred their squatting names.

  • 18,483 ENS typo-squatting names have been identified. These names target 13,450 Alexa names. The most popular typo-squatting variant is bitsquatting with 5,000 variants found. More than 52% of these names were active at the time of the study.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

  • Addresses have been registering suspicious ENS squatting names since the initial Vickrey auction period. This trend maintains a steady rise and fall from then to the time of the study.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

  • Three scam addresses have been registered in the ENS system at the time of the study. These include airdrop scams and Ponzi schemes.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

  • 19 malicious websites involved in gambling, adult content, and scam activities are found linked to ENS name records.

  • ENS name records persist even after name expiration. 16,017 expired .eth names still have records within them alongside their 3,116 subdomains.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

Discussion and Key Takeaways

  • ENS has built steady popularity since its launch in 2017.
  • It is proving to be a complementary tool to the existing DNS service.
  • ENS names are now being used for dWebs and traditional websites.
  • It inherited the attributes of blockchain technology; immutability, transparency and decentralisation.
  • Rare names and names with popular words are in high demand. Users are trying to get as many names as they can.
  • The most common use of ENS name records is to link blockchain addresses. Other uses include to store content hashes, and text records.
  • Several security issues like domain name squatting and malicious behaviours found in traditional DNS still plague the ENS system.
  • New security issues posed by the use of smart contracts also exist. ENS names are highly prone to record persistence attacks. An attacker can renew a name after expiry and edit the records. Innocent buyers who are unaware of this change may still associate the .eth name with the old owner and use it in transactions.
  • Given the fact that ENS names are ERC 721 tokens, could their acquisitions be based on their market profit in the future?
  • What are the privacy implications for the user of this service? ENS allows users to link blockchain addresses and custom records to human readable names. If a user publishes this human readable name on a platform like Twitter, it could make way for third party surveillance of the user's address activity and balance.

Implications and Follow-ups

  • It can be inferred from its active users and integrations with dApps and traditional TLDs that ENS has a healthy ecosystem.
  • There need to be new solutions to enhance the security of ENS due to its inherent security risks.
  • Users need to cross-check the addresses under an ENS name before approving any transaction or interaction with them.
  • The ENS team aims to scale the service on Layer 2 and is working towards more integrations with traditional 2LDs. This will help reduce costs and facilitate use.
  • The authors acknowledge that there have been several studies on the designs of BNSs. Hari et al. propose a distributed, tamper-resistant DNS infrastructure as a solution to the limitations of traditional DNS and its dependence on Public Key Infrastructures (PKIs).
  • Guan et al. present a domain authentication scheme, AuthLegder, to reduce trust in certificate authorities. Other studies like He et al. seek to put forward discussions on how to improve the security of DNS nodes. He et al puts forward a novel decentralised DNS root management architecture based on a permissioned blockchain.
  • Gourley et al. is also cited for their proposal of an improved DNSSEC based on blockchain.
  • Other works relating to the analysis of BNS systems are also cited. The empirical analysis by Kalonder et al. on Namecoin is mentioned. Works that border on the properties of BNS systems like that of Patsakis et al. are also mentioned. Patsakis et al. analyzes security threats to BNS systems such as malware, underlying registrar mechanism, domain market, phishing, motivation and immutability.
  • Liu et al. and Karaarslan et al. compare the designs of several blockchain-based DNSs including ENS.
  • The authors note that there has been no worthy mention of systematic study of ENS besides their work.

Applicability

  • The methods used by the researchers can be employed by the community and ENS developers to conduct more research and improve the system.
  • DApp and Blockchain wallet providers who integrate ENS functionalities should apply the methods in this research paper to detect these security issues and warn users.
  • Methods in this work can be used to study other BNS solutions.
Last changed by 
content
0
49
Published on HackMD