Bug Discovered in ENS Auctions, Finalizations Temporarily Halted

Update 2: All of the ENS names stolen using an exploit in the OpenSea auction have been returned

Update: “How we’re resolving the issues with the ENS short-name auctions” from OpenSea

The first auctions for 3–6 character .ETH names started ending yesterday on OpenSea. Though most of these first auctions to end were resolved correctly, we were quickly made aware of some auctions that had been finalized incorrectly. We have temporarily halted finalizing any more auctions until we can be certain the problems have been solved.

The problem

In a few cases, names were awarded to the wrong bidders and for an amount lower than the highest bid on that name.

At this point, we’re aware of two issues:

First, some bidders were given incorrect information on how to bid using the JavaScript SDK. This resulted in the submission of invalid bids, with the wrong “target” field. As a result, those bids weren’t considered when deciding the auction winner.

Second, one user discovered an input validation vulnerability that allowed them to place bids on a name that actually issued a different name. Unfortunately, they exploited this to issue themselves defi.eth, wallet.eth, apple.eth, and a number of other names.

What we’re doing about it

Regarding the first problem of the incorrect information on how to use the JavaScript SDK: OpenSea has identified the problem and will be emailing bidders with instructions on how to resubmit their bids with valid information. Any auctions that haven’t been finalized yet and were affected by this will be extended; we may extend all auctions for simplicity (this information will be forthcoming soon).

Regarding the second problem of someone exploiting the input validation vulnerability: Fortunately, we caught this and halted finalization before they could get more than a few (16) names. We’ve identified and patched the issue that made this possible.

Can names that were awarded incorrectly be taken back and given to the correct bidder?

Unfortunately not. ENS is designed such that we can’t revoke .ETH names once they have been issued. This is an intentional feature of ENS that ensures the owners of .ETH names a high degree of security. But it also means that mistakes, such as in this case, can be costly.

How to contact us

If you have more information about these or other problems with the auctions, or have a question, the best way to contact us right now is on our Gitter channel or on our forum.

Conclusion

We are very sorry this problem happened. We take the integrity and fairness of the auctions and the whole ENS system very seriously. We will not finalize any more auctions until we are certain we have fixed all problems.

We will give updates as we have them here on Medium and on our Twitter account.