CVE-2023-38698: 
JavaScript vulnerability analysis and mitigation

Ethereum Name Service (ENS) reported a vulnerability (CVE-2023-38698) in @ensdomains/ens-contracts prior to version 0.0.22. The vulnerability involves an integer overflow in the renew function that could allow an attacker-controlled controller to reduce the expiration time of existing domains, despite documentation stating that controllers should only be able to register new domains and extend existing ones (ENS Advisory).

The vulnerability exists in the BaseRegistrarImplementation.sol contract where an integer overflow can occur in the renew function. The issue stems from user-supplied duration values that could cause an overflow in both sides of a comparison expression. Specifically, when the duration is set to 2^256 - GRACE_PERIOD, it causes an overflow in the expiries[id] += duration calculation, potentially reducing expiries[id] by GRACE_PERIOD. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N (NVD).

If successfully exploited, this vulnerability would enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves. While current exploitation requires a malicious DAO, future vulnerabilities in controllers could make this issue more widely exploitable. Additionally, if ENS implements unlimited .eth domains for a fixed fee, the vulnerability could become exploitable by any user due to reduced attack costs (ENS Advisory).

The vulnerability has been patched in version 0.0.22 of @ensdomains/ens-contracts. As a workaround, ensuring that registration cost remains linear or superlinear based on registration duration, or limiting it to a reasonable maximum (e.g., 1 million years), can prevent exploitation by regular users (ENS Advisory).