Description

There is missing validation logic in the nameTokenize() function that creates severe security implications beyond simple duplicate tokenization.

This function does not verify whether a token already exists for the domain, allowing registrars to accidentally tokenize the same name multiple times.

This issue also enables malicious cross-registrar attacks. However, the client has stated that registrars are to be considered as trusted entities, and thus we will assume that they will not deliberately perform such attacks.

When a registrar calls nameTokenize(), it overwrites the existing _domaState.nameTokens even if it already exists, meaning a registrar could accidentally or deliberately overwrite name information controlled by another registrar.

The approveTokenization function has the proper validation logic, implemented below:

LibDoma.Name storage name = _domaState.names[nameId]; 
if (name.registrarIanaId != 0) { 
    revert NameAlreadyTokenized(sld, tld); 
}

However, this validation is completely absent in nameTokenize(), creating an attack vector for malicious registrars to overwrite details of domain names from other registrars.

Note that this issue also affects the eoiImport() function, where it does not check that the EOI name being modified has a matching registrarIanaId to the calling registrar.

Impact

In the worst case, a registrar being able to overwrite domain name details of another registrar is critical in severity. Adversarial registrars can claim each other's onchain ownership on-chain.

However, the client has stated that registrars are to be trusted to not act maliciously. Because of this, we think the likelihood of such an action occurring is extremely low, even accidentally.

Recommendations

It is recommended to add the aforementioned validation code to the nameTokenize() and eoiImport() functions.

Remediation

This issue has been acknowledged by D3, and a fix was implemented in commit 2e4a5b3d↗.