ENS Spoofing Bot detects attacks in which someone registers a name visually similar to an existing one.
Forta Protocol, which monitors blockchain events in real-time, together with this bot allows attacks to be detected before they happen or to minimize the damage from them. What's more, every ENS user will be able to receive an alert if it happened to their name.
Table of spoofing techniques supported by the bot.
Names in the Ethereum Name Service are unique, but there are no restrictions on registering look-alike names that are
visually very difficult to distinguish from genuine ones.
For example, having a name vitalik.eth, an attacker can register a similar name by replacing the symbol
lowercase L with uppercase i: vitaIik.eth.
The name is visually similar, but it is treated by the protocol as a completely different name, with its own hash, as
well as an address bound to it.
This type of attack is called a homograph attack. Regarding the ENS protocol, it can be performed in the following ways:
- Substitution of character pairs i/I, i/j, O/0, w/vv, m/rn, which depending on the typeface, may be difficult or impossible to distinguish;
- Replacing ascii characters with visually similar ones from Unicode; for example, “faсebooсk.eth” uses the letters o and с from Cyrillic;
- Use of invisible Unicode characters;
- Spoofing using uppercase letters; for example, bitcoin.eth may be spoofed as Bitcoin.eth.
ENS fights this attack pretty hard by normalizing names before they are registered, as well as warning against using non-ascii characters on its site. However, to save gas, such checks have been implemented off-chain, on the frontend side. Any user can register a name bypassing the official site by calling the protocol contract directly.
Below you will find examples of spoofing techniques that can be detected by this bot.
| Original name | Spoofing name | Technique |
|---|---|---|
| bitcoin.eth | Bitcoin.eth | Uppercase |
| danger.eth | dаnger.eth | Cyrillic Homoglyph |
| glukk.eth | glükk.eth | Unicode Homoglyph |
| wildcat.eth | w1ldcat.eth | ASCII Homoglyph |
| vitalik.eth | vitalik.eth | Zero Width Space |
| wildcat100 | vv1lḍCatl00 | Multiple Techniques |
- Ethereum (1)
- AK-ENS-SPOOFING-ETH
- Fired when a transaction contains registration of a name that visually similar to an existing one
- Severity is always set to "low"
- Type is always set to "suspicious"
- Metadata:
originalName- the name of the account that was potentially spoofedoriginalAccount- the address of the account that was potentially spoofedimpersonatingName- the name of the account that registered a name similar to the one that already existsimpersonatingAccount- the address of the account that registered a name similar to the one that already exists
No data yet