In brief A backdoor in the Ethereum Name Service let people claim back names for names they've sold to other people

The team doesn't think the exploit affected anyone, but they've fixed it.

It cost them over $25,000 to fix.

When the Ethereum Name Service—a smart contract that makes addresses on the Ethereum blockchain human readable—was migrated to a newer smart contract, it contained a bug so severe it cost developers over $25,000 to fix it, the team said in a blog post yesterday.

On November 8, 2019, a bug was submitted to the Ethereum Bug Bounty page that would let someone claim back ownership over an address name, even if it were transferred to someone else. So, for instance, John Doe could register Decrypt.ETH, transfer it to Jane Doe, then claim it back.

“This would be pretty bad, so we realized relatively quickly that we had to migrate our entire infrastructure to a new registry,” said the team.

A costly bug

That meant that all 310,000 names on the Ethereum name service required updating, as well as 50,000 subdomains, 60,000 names using a resolver, and 37,000 names with addresses set. In total, that’s 360,000 names.

Modifying all those names would mean they’d have to spend a lot of money in transaction fees. Since, overall, the team had to modify around 847,000 “storage slots,” it had to spend a total of $25,000 worth of ETH to get the job done.

On January 27, the team deployed a new smart contract, and in the first full week of February, they migrated the names to a new smart contract. The job was finished by February 10.

Luckily, “upon investigating the vulnerability further, we were able to say with a large certainty that the vulnerability was not exploited,” said the team.