Ethereum Name Service (ETN) name auctions were halted because of a bug that resulted in names being awarded to wrong users and for lower bids.
ENS’s editor Brantly Millegan announced the halt of the name auctioning service in a Medium article published on Sept. 30. He noted that most of the first auctions concluded successfully and only a few were affected by the bug. The anomalous result of some auctions had two distinct causes, one of which lies in documentation, not the software, according to Millegan.
A vulnerability has been discovered
The second issue — rooted in the software — is an input validation vulnerability which allowed “to place bids on a name that actually issued a different name.” Malicious users reportedly used this vulnerability to issue themselves the names defi.eth, wallet.eth, apple.eth and others.
In an attempt to set things straight, bidders will be emailed with instructions on how to resubmit valid bids, according to the article. At the same time, unfinalized affected auctions will be extended. Furthermore, all but 16 affected by the vulnerability auctions were halted before finalization.
A costly Ethereum Name Service mistake
The vulnerability itself was identified and patched, so attacks of this kind will not be possible again. Still, Millegan admits that names that have been awarded to attackers in finalized auctions cannot be revoked and returned to the correct bidder. This feature is a double-edged sword that also has its advantages:
“ENS is designed such that we can’t revoke .ETH names once they have been issued. This is an intentional feature of ENS that ensures the owners of .ETH names a high degree of security. But it also means that mistakes, such as in this case, can be costly.”