How we’re resolving the issues with the ENS short-name auctions

Devin Finzer
Oct 1, 2019 · 5 min read

Update:

We’ve resumed bidding on the short name auctions! Paused auctions will be extended so that they end after Tuesday, October 15 so folks have time to enjoy Devcon. Thanks for bearing with us!


Update:

The stolen ENS names mentiond in this article were recently returned to the ENS team for re-auction. A big thank you to the user that returned these assets for supporting the community in this effort!


Over the last few months, we’ve been working to build support for the initial auction of ENS short names on OpenSea. It’s been a pleasure working with the ENS team on this sale, especially since we believe it represents an important moment in the early history of the decentralized web.

Unfortunately, there were several bugs in the process that caused a number of ENS names to be distributed to users that were not the highest bidders.

First of all, we want to be clear that OpenSea takes full responsibility for these bugs. The ENS team leveraged OpenSea’s infrastructure to conduct the sales of ENS names, and was entirely without fault for the issues that occurred. OpenSea would therefore like to formally apologize to our community: the ENS auction was a brand new feature with a lot of moving pieces, and we should have identified and resolved these bugs during testing.

Call Data Exploit

One user discovered an input validation vulnerability that allowed them to place bids on a name that actually issued a different name. They exploited this to issue themselves 17 names:

11111.eth, 123.eth, 1234.eth, 123456.eth, 22222.eth, 33333.eth, 55555.eth, 666666.eth, 888.eth, 888888.eth, 99999.eth, apple.eth, defi.eth, facai.eth, love.eth, pay.eth, wallet.eth

Fortunately, we identified the attack before they could use the vulnerability to obtain a large number of other valuable short names.

Invalid bids

Some bidders were given incorrect information on how to bid using the JavaScript SDK, and a few bidders on the website also encountered a race condition with the OpenSea ownership check that set the “owner” of a few un-minted names to the null address, temporarily. This resulted in the submission of invalid bids, with the wrong “target” field. As a result, those bids weren’t considered when deciding the auction winner.

Miscellaneous User Interface Issues

We’ve also received feedback from our community that several elements of the auctions were confusing. For example, users were placing extremely high bids on items to discourage other users from bidding on those names. It wasn’t clear to users that they could place lower bids on the items. We’ll be working on a UI that better communicates that, and better rules around auction extensions.

The plan moving forward

We will be officially pausing the ENS auctions and disabling bidding until we have complete confidence that the bugs in the OpenSea platform are fully resolved.

  1. Once bidding is re-enabled, we will extend invalid ENS auctions so that users who experienced issues have more time to bid. Any auctions that were open during the pause period, as well as the auctions closed with issues (see the list at the end of this post), will be extended.

Request to users

A blessing and a curse of blockchain-based digital assets is that once they have been distributed, it is impossible for them to be revoked. We can’t redo the auctions for the names that were sold in an invalid fashion.

We’d like to formally request that all users who obtained ENS names via an invalid auction send them back to the ENS team for re-auctioning. As a reward, you will receive both the ETH you paid for the item and 25% of the auction commission when the item is sold.

If your name is one of those affected, you will have an offer on OpenSea from the ENS team, for the original sale amount. To receive a refund plus 25% of the sale price when it is re-auctioned, simply accept the offer from the OpenSea account named ENS in the OpenSea UI.

Here’s the list of names we’re requesting back from users:

bet365.eth, bridge.eth, conner.eth, edesa.eth, eaton.eth, ether.eth, hansen.eth, hobbs.eth, hodls.eth, jensen.eth, keller.eth, lopez.eth, maersk.eth, mayer.eth, nails.eth, nobel.eth, nolan.eth, palmer.eth, pedro.eth, phuket.eth, refer.eth, sharpe.eth, signed.eth, skynet.eth, spacex.eth, study.eth, tanner.eth, wright.eth

Request to the hacker

We appreciate the work you’ve done exposing vulnerabilities in the auction system. In the process, you’ve acquired names through methods not consistent with ENS goals, values or best interests of the ENS community.

As such, we’re asking for you to return the names to the ENS team. If you do, we will make them available again through the corrected and updated auction process.

To compensate for the work you’ve done to expose these vulnerabilities, we’re prepared to offer you 25% of the winning bid price of each name you return. We’ll also refund your purchase price.

The names you’ve acquired have been blacklisted from trading by OpenSea. ENS is currently evaluating options to implement a blacklist too. It’s been on the ENS’s team roadmap and they have the code written to implement it. ENS is also considering making these names non-renewable.

To return the names to the ENS team, simply accept the offer on the OpenSea item page to get your payment back, or use manager.ens.domains to transfer the registrant to 0x0904Dac3347eA47d208F3Fd67402D039a3b99859.

Auctions to be extended

In addition to auctions that were paused while active, we will extend finished auctions that had bidding issues. Here is the list of finished auctions that will be extended. As names are returned to the ENS team from the winners of auctions that were finalized with issues, we will add them to this list. We will post the final list when we re-start the auctions.

000000.eth, aiqing.eth, alphab.eth, asset.eth, atkins.eth, award.eth, bailey.eth, bender.eth, birth.eth, bitmex.eth, blocks.eth, brands.eth, briggs.eth, buddha.eth, carmax.eth, carney.eth, carver.eth, coders.eth, common.eth, conrad.eth, cooley.eth, cortez.eth, creek.eth, crédit.eth️, españa.eth️, estate.eth, evans.eth, farley.eth, faucet.eth, ferrum.eth, flynn.eth, foley.eth, foster.eth, gbpusd.eth, hardin.eth, henson.eth, hewitt.eth, hodge.eth, hooper.eth, horne.eth, huber.eth, hurley.eth, ilove.eth, image.eth, infor.eth, itbit.eth, lambda.eth, laoban.eth, livetv.eth, logic.eth, lotto.eth, lynch.eth, lyons.eth, mccoy.eth, mcgee.eth, medina.eth, mercer.eth, mixin.eth, monax.eth, olson.eth, order.eth, ortega.eth, osaka.eth, osiris.eth, poole.eth, ravens.eth, razer.eth, rhodes.eth, roach.eth, rogers.eth, roman.eth, samoa.eth, sloan.eth, sophia.eth, spears.eth, stuart.eth, suarez.eth, swaps.eth, swoop.eth, taipei.eth, theme.eth, tongji.eth, vance.eth, vinson.eth, voilà.eth️, yidong.eth, zhenai.eth, москва.eth️, 中国人民银行.eth️, 以太坊支付.eth️

OpenSea

Buy, sell, and discover rare digital items

Devin Finzer

Written by

Co-founder of OpenSea

OpenSea

OpenSea

Buy, sell, and discover rare digital items

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade