Ethereum Name Service Auctions Halted Because of a Bug

Ethereum Name Service name auctions were halted because of a bug that resulted in names being awarded to wrong users and for lower bids.

ENS's editor Brantly Millegan announced the halt of the name auctioning service in a Medium article published on Sept. 30.

The anomalous result of some auctions had two distinct causes, one of which lies in documentation, not the software, according to Millegan.

Per the announcement, "Some bidders were given incorrect information on how to bid using the JavaScript SDK." As a result, they submitted invalid bids with wrong target fields, which meant that their bids were not considered in the auction.

The second issue - rooted in the software - is an input validation vulnerability which allowed "To place bids on a name that actually issued a different name." Malicious users reportedly used this vulnerability to issue themselves the names defi.

In an attempt to set things straight, bidders will be emailed with instructions on how to resubmit valid bids, according to the article.

At the same time, unfinalized affected auctions will be extended.

All but 16 affected by the vulnerability auctions were halted before finalization.

Still, Millegan admits that names that have been awarded to attackers in finalized auctions cannot be revoked and returned to the correct bidder.

"ENS is designed such that we can't revoke.ETH names once they have been issued. This is an intentional feature of ENS that ensures the owners of.ETH names a high degree of security. But it also means that mistakes, such as in this case, can be costly."