Edit: We’ve since relaunched the ENS registry; for more details see https://ens.domains/!

tl;dr: The initial ENS registrar has a bug that will require anyone who already bid to take manual action to recover any bids they already placed, and resubmit their bid when the fix is deployed. Your ether is not at risk!

First off, thanks to everyone for the huge amount of support and encouragement they’ve offered ENS and the launch! We’re really looking forward to seeing what uses people put ENS to.

Unfortunately, the initial version of the auction registrar as deployed had a bug that would have allowed people to bid during the reveal period — many thanks to ‘EthHead’ for finding this. Since the DApp wasn’t yet enabled for bidding, this affects relatively few people.

If you have placed bids already, your bids are safe, but we recommend stopping bidding and opening auctions on the current version of the registrar, as they won’t have any effect.

The bug

The auction registrar was designed with two distinct phases for each auction: bidding, and reveal. If users can bid during the reveal phase, they can wait until they know what their opponents bid, and either outbid them, do nothing, or underbid them by a small amount to force them to pay the maximum. To prevent this, the auction registrar was designed to prohibit bids during the reveal phase of the auction.

A refactor accidentally removed that check, and while we have many unit tests, this edge case was not amongst them. We’ve since written more unit tests to cover this and other issues to prevent any recurrence of problems like this one.

The fix

We’ve developed a fix, which we intend to deploy shortly — ideally in the next few hours. If you haven’t bid on any auctions yet, there’s nothing you have to do — once the new registrar is deployed and the auction DApp goes live, you can bid just like normal.

Any opened auctions and bids on the original version of the registrar won’t have any effect, so you’ll need to reopen those auctions and bid again when the new registrar is deployed. If you’re one of the few people who have already bid, you’ll still need to reveal your bid on the old registrar in order to get your deposit back, but shouldn’t need to take any other action beyond that.

If you’re one of the people affected by this, I’d encourage you to contact me at arachnid@notdot.net; I’ll happily provide individual support to ensure you get your bids returned properly and without hassle.