The Ethereum Name Service Bug Bounty is Live

The Ethereum Name Service (ENS) is now included in the Ethereum Bug Bounty Program. This post explains how to participate in it.

Chris Remus
Apr 12, 2017 · 3 min read

The team is hard at work on the Ethereum Name Service (ENS) relaunch. One issue identified after the first launch attempt was the lack of a formal bug bounty. We’re happy to announce that as of April 7, 2017 ENS is now included in the Ethereum Bug Bounty Program.

ETHEREUM Bounty Program

The Ethereum Bounty Program provides bounties for bugs. We call on our community and all bug bounty hunters to help identify bugs in the protocols and clients. Earn rewards for finding a vulnerability and get a place on our leaderboard. See Rules & Rewards section for details.

ENS security is now a category of the overall Ethereum Bug Bounty. From the Ethereum Bounty Program site —

This category includes:

-Flaws making it possible to gain unauthorized access to, or prevent the authorized withdrawal of, funds locked in Deeds.

-Flaws making it possible to interfere with, or make modifications to, an ENS-domain belonging to another user.

-Flaws in the auction that affect the legitimacy of auction results.

Nick Johnson, a member of the ENS team, wrote a post describing an ENS security bug example. It was discovered during the first launch attempt.

The bug

The auction registrar was designed with two distinct phases for each auction: bidding, and reveal. If users can bid during the reveal phase, they can wait until they know what their opponents bid, and either outbid them, do nothing, or underbid them by a small amount to force them to pay the maximum. To prevent this, the auction registrar was designed to prohibit bids during the reveal phase of the auction.

A refactor accidentally removed that check, and while we have many unit tests, this edge case was not amongst them. We’ve since written more unit tests to cover this and other issues to prevent any recurrence of problems like this one.

The bug would have allowed people to bid during the reveal period, thus affecting the legitimacy of auction results.

The ENS Bug Bounty follows the Ethereum Bug Bounty Program Rules and Rewards (scroll about 25% down that page) -

Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the Ethereum Foundation bug bounty panel.

Critical: up to 25 000 points

High: up to 15 000 points

Medium: up to 10 000 points

Low: up to 2 000 points

Note: up to 500 points

1 point currently corresponds to 1 USD (payable in ETH or BTC), something which may change without prior notice.

Beyond monetary rewards, every bounty is also eligible for listing on our leaderboard with points accumulating over the course of the program.

In addition to Severity, other variables are also considered when the Ethereum Foundation bug bounty panel decides the score, including (but not limited to):

Quality of description. Higher rewards are paid for clear, well-written submissions.

Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward. Please see the wiki and repos to learn more about our test suite: Example test and wiki.

Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue.

We look forward to the community’s participation in the ENS Bug Bounty.

You can find -

Let us know in the ENS Gitter Channel.

The Ethereum Name Service

News about the Ethereum Name Service (ENS).

Chris Remus

Written by

Crypto Project & Product Manager / ENS PM / Chainflow Staking System Operator / Aspiring Bodhisattva & Cyclist

The Ethereum Name Service

News about the Ethereum Name Service (ENS) from the team building it. Follow this publication for the latest ENS developments.

Chris Remus

Written by

Crypto Project & Product Manager / ENS PM / Chainflow Staking System Operator / Aspiring Bodhisattva & Cyclist

The Ethereum Name Service

News about the Ethereum Name Service (ENS) from the team building it. Follow this publication for the latest ENS developments.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store