1.0.0 • Published 3 years ago

name-wrapper v1.0.0

Weekly downloads
-
License
MIT
Repository
-
Last release
3 years ago

ENS Name Wrapper

The ENS Name Wrapper is a smart contract that wraps existing ENS names, providing several new features:

  • Wrapped names are ERC1155 tokens
  • Better permission control over wrapped names
  • Consistent API for names at any level of the hierarchy

In addition to implementing ERC1155, wrapped names have an ERC721-compatible ownerOf function to return the owner of a wrapped name.

Making ENS names ERC1155 compatible allows them to be displayed, transferred and traded in any wallet that supports the standard.

NameWrapper implements the optional ERC1155 metadata extension; presently this is via an HTTPS URL to a service ENS operates, but this can be changed in future as better options become available.

With the exception of the functionality to upgrade the metadata generation for tokens, there is no upgrade mechanism or centralised control over wrapped names.

Wrapping a name

.eth 2LDs (second-level domains) such as example.eth can be wrapped by calling wrapETH2LD(label, wrappedOwner, fuses). label is the first part of the domain name (eg, 'example' for example.eth), wrappedOwner is the desired owner for the wrapped name, and fuses is a bitfield representing permissions over the name that should be irrevoacably burned (see 'Fuses' below). A fuses value of 0 represents no restrictions on the name.

In order to wrap a .eth 2LD, the owner of the name must have authorised the wrapper by calling setApprovalForAll on the registrar, and the caller of wrapETH2LD must be either the owner, or authorised by the owner on either the wrapper or the registrar.

All other domains (non .eth names as well as .eth subdomains such as sub.example.eth can be wrapped by calling wrap(parentNode, label, wrappedOwner, fuses). parentNode is the namehash of the name one level higher than the name to be wrapped, label is the first part of the name, wrappedOwner is the address that should own the wrapped name, and fuses is a bitfield representing permissions over the name that should be irrevocably burned (see 'Fuses' below). A fuses value of 0 represents no restrictions on the name. For example, to wrap sub.example.eth, you should call wrap(namehash('example.eth'), 'example', owner, fuses).

In order to wrap a domain that is not a .eth 2LD, the owner of the name must have authorised the wrapper by calling setApprovalForAll on the registry, and the caller of wrap must be either the owner, or authorised by the owner on either the wrapper or the registry.

Wrapping a name by sending the .eth token

An alternative way to wrap .eth names is to send the name to the NameWrapper contract, this bypasses the need to setApprovalForAll on the registrar and is preferable when only wrapping one name.

To wrap a name by sending to the contract, you must use safeTransferFrom(address,address,uint256,bytes) with the extra data (the last parameter) ABI formatted as [string label, address owner, uint96 fuses].

Example:

// Using ethers.js v5
abiCoder.encode(
  ['string', 'address', 'uint96'],
  ['vitalik', '0x...', '0x000000000000000000000001']
)

Unwrapping a name

Wrapped names can be unwrapped by calling either unwrapETH2LD(label, newRegistrant, newController) or unwrap(parentNode, label, newController) as appropriate. label and parentNode have meanings as described under "Wrapping a name", while newRegistrant is the address that should own the .eth registrar token, and newController is the address that should be set as the owner of the ENS registry record.

Working with wrapped names

The wrapper exposes all the registry functionality via its own methods - setSubnodeOwner, setSubnodeRecord, setRecord, setResolver and setTTL are all implemented with the same functionality as the registry, and pass through to it after doing authorisation checks. Transfers are handled via ERC1155's transfer methods rather than mirroring the registry's setOwner method.

In addition, setSubnodeOwnerAndWrap and setSubnodeRecordAndWrap methods are provided, which create or replace subdomains while automatically wrapping the resulting subdomain.

All functions for working with wrapped names utilise ERC1155's authorisation mechanism, meaning an account that is authorised to act on behalf of another account can manage all its names.

Fuses

NameWrapper also implements a permissions mechanism called 'fuses'. Each name has a set of fuses representing permissions over that name. Fuses can be 'burned' either at the time the name is wrapped or at any subsequent time when the owner or authorised operator calls burnFuses. Once a fuse is burned, it cannot be 'unburned' - the permission that fuse represents is permanently revoked.

Before any fuses can be burned on a name, the parent name's "replace subdomain" fuse must first be burned. Without this restriction, any permissions revoked via fuses can be evaded by the parent name replacing the subdomain and then re-wrapping it with a more permissive fuse field. Likewise, when any fuses on a name are burned, the "unwrap" fuse must also be burned, to prevent the name being directly unwrapped and re-wrapped to reset the fuses. These restrictions have the effect of allowing applications to simply check the fuse value they care about on the name they are examining without having to be aware of the entire chain of custody up to the root.

The ENS root and the .eth 2LD are treated as having the "replace subdomain" and "unwrap" fuses burned. There is one edge-case here insofar as a .eth name's registration can expire; at that point the name can be purchased by a new registrant and effectively becomes unwrapped despite any fuse restrictions. When that name is re-wrapped, fuse fields can be set to a more permissive value than the name previously had. Any application relying on fuse values for .eth subdomains should check the expiration date of the .eth name and warn users if this is likely to expire soon.

The fuses field is 96 bits, and only 7 fuses are defined by the NameWrapper contract itself. Applications may use additional fuse bits to encode their own restrictions on applications. Any application wishing to do so should submit a PR to this README in order to record the use of the value and ensure there is no unintentional overlap.

Each fuse is represented by a single bit. If that bit is cleared (0) the restriction is not applied, and if it is set (1) the restriction is applied. Any updates to the fuse field for a name are treated as a logical-OR; as a result bits can only be set, never cleared.

CANNOT_UNWRAP = 1

If this fuse is burned, the name cannot be unwrapped, and calls to unwrap and unwrapETH2LD will fail.

CANNOT_BURN_FUSES = 2

If this fuse is burned, no further fuses can be burned. This has the effect of 'locking open' some set of permissions on the name. Calls to burnFuses will fail.

CANNOT_TRANSFER = 4

If this fuse is burned, the name cannot be transferred. Calls to safeTransferFrom and safeBatchTransferFrom will fail.

CANNOT_SET_RESOLVER = 8

If this fuse is burned, the resolver cannot be changed. Calls to setResolver and setRecord will fail.

CANNOT_SET_TTL = 16

If this fuse is burned, the TTL cannot be changed. Calls to setTTL and setRecord will fail.

CANNOT_CREATE_SUBDOMAIN = 32

If this fuse is burned, new subdomains cannot be created. Calls to setSubnodeOwner, setSubnodeRecord, setSubnodeOwnerAndWrap and setSubnodeRecordAndWrap will fail if they reference a name that does not already exist.

CANNOT_REPLACE_SUBDOMAIN = 64

If this fuse is burned, existing subdomains cannot be replaced by the parent name. Calls to setSubnodeOwner, setSubnodeRecord, setSubnodeOwnerAndWrap and setSubnodeRecordAndWrap will fail if they reference a name that already exists.

Checking Fuses using allFusesBurned(node, uint96)

To check whether or not a fuse is burnt you can use this function that takes a fuse mask of all fuses you want to check.

const areBurned = await allFusesBurned(
  namehash('vitalik.eth'),
  CANNOT_TRANSFER | CANNOT_SET_RESOLVER
)
// if CANNOT_UNWRAP AND CANNOT_SET_RESOLVER are *both* burned this will return true

Get current fuses and parent safety using getFuses(node)

Get fuses gets the raw fuses for a current node and also checks the parent hierarchy for you. The raw fuses it returns will be a uint96 and you will have to decode this yourself. If you just need to check a fuse has been burned, you can call allFusesBurned as it will use less gas.

The parent hierarchy check will start from the root and check 4 things:

  1. Is the registrant of the name the wrapper?
  2. Is the controller of the name the wrapper?
  3. Are the fuses burnt for replacing a subdomain?
  4. Is the name expired?

This is represented by enum NameSafety {Safe, Registrant, Controller, Fuses, Expired}

Lastly it will return to you the first node up the hierarchy that is vulnerable. After it finds a vulnerable node, it will break from checking and so it needs to be rechecked for children down the hierarchy once the vulnerable node has been made safe.

Installation and setup

npm install

Testing

npm run test

Any contract with 2 at the end, is referring to the contract being called by account2, rather than account1. This is for tests that require authorising another user.

@ensdomains/ens-contracts@nomiclabs/hardhat-ethers@nomiclabs/hardhat-waffle@openzeppelin/contractschalkethereum-waffleethershardhatnode-watchqrcode-terminalramdasolium
@infinitebrahmanuniverse/nolb-nam@everything-registry/sub-chunk-2243@monsterdomains/mid-contracts@onusdomain/onus-contracts@onusdomains/onus-contracts
1.0.0

3 years ago