Over the last few months, we’ve been working to build support for the initial auction of ENS short names on OpenSea. It’s been a pleasure working with the ENS team on this sale, especially since we believe it represents an important moment in the early history of the decentralized web.

Unfortunately, there were several bugs in the process that caused a number of ENS names to be distributed to users that were not the highest bidders.

First of all, we want to be clear that OpenSea takes full responsibility for these bugs. The ENS team leveraged OpenSea’s infrastructure to conduct the sales of ENS names, and was entirely without fault for the issues that occurred. OpenSea would therefore like to formally apologize to our community: the ENS auction was a brand new feature with a lot of moving pieces, and we should have identified and resolved these bugs during testing.

Call Data Exploit

One user discovered an input validation vulnerability that allowed them to place bids on a name that actually issued a different name. They exploited this to issue themselves 17 names:

11111.eth, 123.eth, 1234.eth, 123456.eth, 22222.eth, 33333.eth, 55555.eth, 666666.eth, 888.eth, 888888.eth, 99999.eth, apple.eth, defi.eth, facai.eth, love.eth, pay.eth, wallet.eth

Fortunately, we identified the attack before they could use the vulnerability to obtain a large number of other valuable short names.

Invalid bids

Some bidders were given incorrect information on how to bid using the JavaScript SDK, and a few bidders on the website also encountered a race condition with the OpenSea ownership check that set the “owner” of a few un-minted names to the null address, temporarily. This resulted in the submission of invalid bids, with the wrong “target” field. As a result, those bids weren’t considered when deciding the auction winner.

Miscellaneous User Interface Issues

We’ve also received feedback from our community that several elements of the auctions were confusing. For example, users were placing extremely high bids on items to discourage other users from bidding on those names. It wasn’t clear to users that they could place lower bids on the items. We’ll be working on a UI that better communicates that, and better rules around auction extensions.

The plan moving forward

We will be officially pausing the ENS auctions and disabling bidding until we have complete confidence that the bugs in the OpenSea platform are fully resolved.

Once bidding is re-enabled, we will extend invalid ENS auctions so that users who experienced issues have more time to bid. Any auctions that were open during the pause period, as well as the auctions closed with issues (see the list at the end of this post), will be extended. We will email users that placed a bid on items through our SDK (and hence have invalid bids), so that they can re-bid on ENS names. We will preserve all valid bids on ENS short names so that users who already have bid don’t have to re-bid. These bids can, of course, still be cancelled.

Request to users

A blessing and a curse of blockchain-based digital assets is that once they have been distributed, it is impossible for them to be revoked. We can’t redo the auctions for the names that were sold in an invalid fashion.

We’d like to formally request that all users who obtained ENS names via an invalid auction send them back to the ENS team for re-auctioning. As a reward, you will receive both the ETH you paid for the item and 25% of the auction commission when the item is sold.

If your name is one of those affected, you will have an offer on OpenSea from the ENS team, for the original sale amount. To receive a refund plus 25% of the sale price when it is re-auctioned, simply accept the offer from the OpenSea account named ENS in the OpenSea UI.

Here’s the list of names we’re requesting back from users:

bet365.eth, bridge.eth, conner.eth, edesa.eth, eaton.eth, ether.eth, hansen.eth, hobbs.eth, hodls.eth, jensen.eth, keller.eth, lopez.eth, maersk.eth, mayer.eth, nails.eth, nobel.eth, nolan.eth, palmer.eth, pedro.eth, phuket.eth, refer.eth, sharpe.eth, signed.eth, skynet.eth, spacex.eth, study.eth, tanner.eth, wright.eth

Request to the hacker

We appreciate the work you’ve done exposing vulnerabilities in the auction system. In the process, you’ve acquired names through methods not consistent with ENS goals, values or best interests of the ENS community.

As such, we’re asking for you to return the names to the ENS team. If you do, we will make them available again through the corrected and updated auction process.

To compensate for the work you’ve done to expose these vulnerabilities, we’re prepared to offer you 25% of the winning bid price of each name you return. We’ll also refund your purchase price.

The names you’ve acquired have been blacklisted from trading by OpenSea. ENS is currently evaluating options to implement a blacklist too. It’s been on the ENS’s team roadmap and they have the code written to implement it. ENS is also considering making these names non-renewable.

To return the names to the ENS team, simply accept the offer on the OpenSea item page to get your payment back, or use manager.ens.domains to transfer the registrant to 0x0904Dac3347eA47d208F3Fd67402D039a3b99859.

Auctions to be extended

In addition to auctions that were paused while active, we will extend finished auctions that had bidding issues. Here is the list of finished auctions that will be extended. As names are returned to the ENS team from the winners of auctions that were finalized with issues, we will add them to this list. We will post the final list when we re-start the auctions.