Bug Discovered in ENS Auctions, Finalizations Temporarily Halted
Update 2: All of the ENS names stolen using an exploit in the OpenSea auction have been returned
Update: “How we’re resolving the issues with the ENS short-name auctions” from OpenSea
The first auctions for 3–6 character .ETH names started ending yesterday on OpenSea. Though most of these first auctions to end were resolved correctly, we were quickly made aware of some auctions that had been finalized incorrectly. We have temporarily halted finalizing any more auctions until we can be certain the problems have been solved.
In a few cases, names were awarded to the wrong bidders and for an amount lower than the highest bid on that name.
At this point, we’re aware of two issues:
Second, one user discovered an input validation vulnerability that allowed them to place bids on a name that actually issued a different name. Unfortunately, they exploited this to issue themselves defi.eth, wallet.eth, apple.eth, and a number of other names.
What we’re doing about it
Regarding the second problem of someone exploiting the input validation vulnerability: Fortunately, we caught this and halted finalization before they could get more than a few (16) names. We’ve identified and patched the issue that made this possible.
Can names that were awarded incorrectly be taken back and given to the correct bidder?
Unfortunately not. ENS is designed such that we can’t revoke .ETH names once they have been issued. This is an intentional feature of ENS that ensures the owners of .ETH names a high degree of security. But it also means that mistakes, such as in this case, can be costly.
How to contact us
We are very sorry this problem happened. We take the integrity and fairness of the auctions and the whole ENS system very seriously. We will not finalize any more auctions until we are certain we have fixed all problems.