Bug Discovered in ENS Auctions, Finalizations Temporarily Halted

Brantly Millegan
Sep 30, 2019 · 2 min read
Image for post
Image for post

Update 2: All of the ENS names stolen using an exploit in the OpenSea auction have been returned

Update: “How we’re resolving the issues with the ENS short-name auctions” from OpenSea

The first auctions for 3–6 character .ETH names started ending yesterday on OpenSea. Though most of these first auctions to end were resolved correctly, we were quickly made aware of some auctions that had been finalized incorrectly. We have temporarily halted finalizing any more auctions until we can be certain the problems have been solved.

The problem

At this point, we’re aware of two issues:

First, some bidders were given incorrect information on how to bid using the JavaScript SDK. This resulted in the submission of invalid bids, with the wrong “target” field. As a result, those bids weren’t considered when deciding the auction winner.

Second, one user discovered an input validation vulnerability that allowed them to place bids on a name that actually issued a different name. Unfortunately, they exploited this to issue themselves defi.eth, wallet.eth, apple.eth, and a number of other names.

What we’re doing about it

Regarding the second problem of someone exploiting the input validation vulnerability: Fortunately, we caught this and halted finalization before they could get more than a few (16) names. We’ve identified and patched the issue that made this possible.

Can names that were awarded incorrectly be taken back and given to the correct bidder?

How to contact us

Conclusion

We will give updates as we have them here on Medium and on our Twitter account.

The Ethereum Name Service

News about the Ethereum Name Service (ENS).

Brantly Millegan

Written by

Dir. of Operations at Ethereum Name Service (ens.domains). Personal website and ENS name→ brantly.xyz

The Ethereum Name Service

News about the Ethereum Name Service (ENS) from the team building it. Follow this publication for the latest ENS developments.

Brantly Millegan

Written by

Dir. of Operations at Ethereum Name Service (ens.domains). Personal website and ENS name→ brantly.xyz

The Ethereum Name Service

News about the Ethereum Name Service (ENS) from the team building it. Follow this publication for the latest ENS developments.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store