In order to provide robust protections against transaction reordering attacks, a commit reveal scheme is used for name registration. In this scheme, registrants must first submit a commitment to their desired name (the hash of the tuple (name, owner, salt)). Once a predetermined number of blocks have passed, the registrant can reveal the preimage to the commitment and register the name to the desired owner.

A frontrunner can frontrun both a commitment tx and an registration tx. There are four ways to commit to a name (see below), and only one way to register. We analyse each in turn. In all cases below, we note that knowledge of the commitment does not bestow knowledge of the domain in the preimage, meaning that a frontrunner is not able to submit a competing commitment tx for the same name but with a different owner.

Names can be registered by a relayer on behalf of a registrant using EIP-712 signed messages. This allows for low-trust, zero transaction, gas free name registration (relayers can always censor, and depending on the workflow may be able to front-run or block domain registration).

There are 3 signature based methods that can be used to commit to a name registration:

• commitWithPermit: allows callers to commit to name without first having to call approve on the radicle token
• commitBySig: allows a relayer to commit to a name on behalf of another party
• commitBySigWithPermit: allows a relayer to commit to a name on behalf of another party without that party needing to first call approve on the radicle token

The final method (commitBySigWithPermit) allows registrants to register a radicle.eth subdomain by signing two EIP-712 messages:

1. a permit message allowing the relayer to withdraw tokens from the registrants account
2. a commitBySig message allowing the relayer to make a commitment on the registrants behalf

If the relayer is trusted with the commitment preimage, they can also call register on behalf on the registrant once the minimum commit/reveal delay has elapsed.

The above methods allow a few different workflows, each differing in the trust assumptions made regarding the relayer and in the number of on chain transactions that must be submitted by the registrant:

The following are human readable properties that should hold for all possible Registrar states.

In VestingToken.sol, the withdrawableBalance() method will revert if vesting has been terminated, but the vesting period has not yet ended, due to a subtraction underflow at L84.

It is expected that withdrawableBalance should always return 0 after vesting has been terminated, which can be achieved by adding:

if (interrupted) return 0;

to the beginning of withdrawableBalance, and moving

interrupted = true;

to the bottom of terminateVesting().

After vesting is terminated, the withdrawn variable will always be equal to the total amount to be vested, regardless of whether the beneficiary received the full amount or if vesting was terminated prematurely.

Instead of setting:

withdrawn = totalVestingAmount;

setting

withdrawn = totalToBeVested;

would more accurately reflect the token amount that the beneficiary has received.

When a proposal passes, the Governor queues all the corresponding function calls in the Timelock, which allows them to be executed after the Timelock.GRACE_PERIOD has passed.

In this process, the function calls are identified by txHash = keccak256(abi.encode(target, value, signature, data, eta)), and proposals which contain more multiple function calls with the same txHash cannot be queued or executed.

This restriction limits the possible actions of Radicle Governance, as it makes it unable to perform certain stateful function calls. For example, if Governance needed to deploy multiple contracts from a factory in the same transaction, it would be unable to call Factory.build() multiple times within the same proposals.

Allowing repeated function calls within the same proposals could easily be achieved, for example by adding salt or a nonce to transactions.

The setDomainOwner method in the Registrar makes a call to setRecord on the ENS registry, and passes in the address of the new owner as the new resolver value, and a value of 0 for the ttl.

Setting the resolver and ttl values for the domain during an ownership change seems unnecessary, and could lead to disruption for downstream clients who rely on the resolver for the radicle.eth domain, especially as the resolver value is almost certainly incorrect.

setDomainOwner should call setOwner on ens, and separate admin methods should be added in the Registrar that allow setting of the resolver and ttl values on the radicle.eth domain.

The new ENS registry implements a mechanism where lookups will fallback to the old registry if the owner field of a record is set to address(0). This means that address(0) acts as a sentinel value indicating that the name does not have an owner in the new registry, but it may still have a record in the old registry. The new registry also makes use of an additional sentinel value: the address of the registry itself. This value has the meaning: "this name does not exist in the old registry and is controlled by address(0)".

If users call setOwner(node, address(0)) on the new registry, the owner field on the record will in set to the address of the registry itself, and when calling owner(node), address(0) will be returned if the owner field has a value of address(this).

The radicle registrar uses a call to ens.recordExists(node) as part of registerRad to check if a domain has already been registered. recordExists does not take the above mechanism into account, and will return false iff the owner field has been set to address(0). This means that if the owner of a radicle domain decides to revoke their ownership by calling ens.setOwner(domain, address(0)) the domain owner will be set to address(this), and ens.recordExists(domain) will always return true for that domain, meaning that it can never again be registered.

This issue can be avoided by using a call to ens.owner(domain) (which accounts for the various internal sentinel values) instead of the call to ens.recordExists.

The radicle registrar does not set a value for the resolver field for newly registered subdomains. While this field can be set by owner subsequent to the name registration, it involves an extra transaction.

Name registration UX could be improved by setting a sensible default for the resolver field in newly created radicle.eth subdomains (perhaps to the same value as used for radicle.eth).

An attacker with a good view of the mempool could watch for transactions registering new radicle.eth subdomains and submit a transaction with a higher gas price claiming the name for themselves.

While this attack has an up-front cost, they can now offer the name to the original submitter of the transaction for more than the cost of submitting the transaction.

To avoid this issue, a commit/reveal scheme could be implemented:

1. submit a commitment to register a domain (commit(keccak256(name, owner, secret)))
2. submit a registration transaction within some predetermined time period (register(name, owner, secret))

An attacker who is watching the mempool cannot see which name/owner pairs are being committed to, and once the registration transaction is revealed, they are unable to take the name for themselves (they can of course still register the name on behalf of the owner specified in the commitment).

The NameRegistered event contains the ens node associated with the registered name, but does not include the name itself. While the name can be recovered via calldata, this procedure is more complex and not supported by many popular tools (e.g. Dune Analytics).

Adding the domain name to the NameRegistered even will make life easier for users of the radicle registrar.

Adding events makes it easier for interfaces and other tools to quickly analyze the state of contracts, and cheaply recreate its historical state.

Registering a name under radicle.eth may be quite cheap directly after the launch, and there is a risk that many high value names will be claimed by squatters.

It may be prudent to investigate restrictions on the registration of very short names, or names of existing high profile software projects (e.g. the largest 100 projects on github). The team may also wish to consider adding an expiry period to radicle.eth subdomains.

The radicle team updated the registrar to disallow registration of names that are represented with a single byte when serialzed. This dissalows registration of single character ascii names (e.g. x.radicle.eth), but still allows the registration of single character names that have multi-byte representations when serialized (e.g. emojis, chinese characters).

Using calldata as location for reference data types in the following functions:

• Timelock.queueTransaction
• Timelock.cancelTransaction
• Timelock.executeTransaction

would improve gas efficiency in the Timelock contract.

The Registrar does not allow the admin to set a new resolver or ttl value for the radicle.eth domain. While this can be achieved by means of a registrar upgrade, this seems unnecessarily restrictive.

The audit team recommends adding methods that allow the registrar admin to set the resolver and ttl values for the radicle.eth domain.

The Treasury contract is a simple contract wallet that holds ETH, only allowing the admin to withdraw the funds. Discussions with the Radicle team revealed that this treasury contract was meant to be controlled by Governance, and could also come to hold ERC20 tokens. Since the Timelock contract is already well equipped to both hold ETH and other assets in behalf of the Governance contract, the audit team recommends getting rid of the Treasury completely and just using the Timelock as a treasury instead.

The registrar currently contains placeholder methods relating to currently unimplemented flows that would allow users to register a domain using an amount of ETH determined by an external price oracle.

Removing these methods (and their associated storage variables) would make the contract both easier to read and cheaper to deploy.

The id field of the proposal struct is redundant. Proposals are indexed by their id, so any lookup would have to already be aware of the id of the proposal. Removing this should save at least 1 SSTORE per proposal.

Solidity packs adjacent value types occupying less than 32 bytes into a single slot whenever possible. In the case of the Proposal struct, there are several items that could be packed together if moved next to each other. The audit team suggests moving the proposer address next to the booleans in order to fit them in to a single storage slot.

The function Governor.propose requires the sender to hold more than Governor.proposalThreshold() votes in order to submit a proposal. However, the error message accompanying this constraint reads: "Governor::propose: proposer votes below proposal threshold", which is not true if the proposer has exactly proposalThreshold number of votes.

Names are restricted to be less than 32 bytes in length. As names in ENS are stored in a dictionary keyed by the namehash of the domain (a bytes32), this restriction is not required on the smart contract level.

UTF-8 encoded unicode characters have a maximum size of 4 bytes, meaning that the 32 bytes length restriction could result in an 8 character limit for some names.

The audit team recommends either loosening or lifting this restriction entirely.

Removing this check would save ~110 gas (~$0.15 @100 gwei/gas and 1400 USD/ETH) for every name registration.

Implementing permit into the RadicleToken would allow introduce less friction for interactions with the RadicleToken, and pave the way for a user experience wherein the user needs no eth to pay for transactions.

The values of the variables token and timelock cannot be altered after set in the constructor. Using immutable for these variables would provide an increase in gas efficiency.

The current signature based name registration flows in the radicle registrar do not offer any incentive to the relayer of a register transaction. This could be rectified by adding a registerWithFee method that pays the relayer of the call a fee upon successful name registration.

The address for the .eth registrar is read from the ens registry in setDomainOwner. It is assumed that the owner of the .eth tld in the ens registry will always be the .eth registrar. Should the owner of the .eth tld change to be a contract that reverts during the call to ethRegistrar.transferFrom then it will no longer be possible to migrate to a new registrar for the radicle.eth name.

The audit team recommends removing this assumption by reading the address of the .eth registrar from a storage variable in the radicle registrar. The admin of the registrar should be able to set the value of this storage variable.

Since the vestingtoken contract performs a transferFrom in its constructor, one has to precalculate its address and approve it before it is constructed.

The ENS root node is under the control of the ens multisig. The owner of the root node can change change ownership of any subnode in the tree, giving the signers for this multisig total control over all ens domains.

Should this multisig be compromised, ownership of all radicle.eth domains could fall into the hands of a malicious attacker.

Registration of a radicle.eth subdomain creates an irrevocable link between an ethereum address and a human readable identifier. Users of the system should be aware that this allows anyone who knows the radicle name to view the full history of all transactions carried out by that address. Further heuristic analysis may also allow the linking of connected addresses to that name.

It should be considered a best practice to register a radicle domain with a fresh address that is unconnected to other on chain activities.