Sending money to a .eth domain instead of plain ethereum address? Accessing a smart contract by it’s publicized .eth name? Or, buying a coveted name on an aftermarket auction platform like You need to be aware of this attack vector. https://enslisting.com? The names are not what they look. Here is a small warm up exercise. Spot the infested names from the list below: 1a. microsoft​.eth 1b. micorsoft.eth 1c. microsoft.eth 2a. dark​market.eth 2b. darkmarket.eth If you answered 1b, wrong! micorsoft is the misspelling for microsoft, but that one atleast you can spot if you are being careful. What if I told you 1a and 2a are also infested? Here is the next exercise. Open multiple windows of , copy 1a and 1c and paste them on two different windows (on the search boxes). Look closely the namehash, owner, and highest bid: https://etherscan.io/enslookup Notice, one name was bought for 60 ETH, and the other one for 0.01 ETH. If you were asked to send 5 ETH to microsoft, will you send to microsoft​.eth or microsoft.eth? One of those names has a Zero Width character at the end, more like microsoft<invisiblecharacter>.eth Until all the Wallet Clients take care of this and alert users, you need to be vigilant. Here are a few things you can do: First, copy the address into notepad, and use the arrow keys on your keyboard to go from beginning to end. does the name pause at any character and requires two keystrokes to move to the next char? You just spotted a non printable character. Now, copy the address as it is, paste it in etherscan.io/enslookup. Open another window of etherscan, type in the correct spelling yourself. Does the namehash on both windows match? If not, you just saved yourself from a phishing attack. Let me know if that helps. I had raised the ticket for this, depending on what wallet client you use, you may or may not be at risk. Better be safe than sorry. https://github.com/ethereum/ens/issues/240 Now, a final exercise. Spot which version of darkmarket is infested, and where the infested character is. <11/10/2017> The plot thickens. See anything wrong with this name? micrоsoft.eth It is also an infested name, try to figure out what is wrong with it (the arrow keys trick wont cut it this time). Finished your research? This apparently is a legally valid name per UTS46 standards, the o after r is not the regular o, it is Cyrillic Small Letter O https://vazor.com/unicode/c043E.html Coincidentally, Nick Johnson alluded to a second layer blacklist / reputation oracle running on top of ENS registry to weed out these names though consensus mechanism, that should probably bubble up to the top in terms of priority. See the link for the video here https://medium.com/@enslisting.com/ens-talk-at-devcon-3-the-unoffical-summary-66afdb2247d1 Till then, no copy/paste, please use the good old keyboard to type in ens names letter by letter folks! Mano Samy

Microsoft

Oracle

Too Long; Didn't Read

Discover Saakuru: Web3 Mass-Adoption with 0-FEES

Dealing with ENS Names? Beware of this phishing attack…

Too Long; Didn't Read

People Mentioned

Companies Mentioned

enslisting

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Dealing with ENS Names? Beware of this phishing attack…

Too Long; Didn't Read

People Mentioned

Companies Mentioned

enslisting

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES