OpenSea’s Ethereum Name Service Auction Exploited; Top Tier ETH Domains Stolen

The Ethereum Name Service (ETN) auction was recently halted due to a bug, which led to the wrong people receiving ENS domain addresses that had submitted lower bids. The auction, which was run by the digital marketplace OpenSea, was originally started on September 1 and it was halted soon after a few of the first auctions occurred.

Initially, a bug prevented some people from bidding as they received incorrect instructions via the Javascript SDK. After that, the second issue happened. There was an input validation vulnerability that was exploited. This caused users who did not bid high enough, to get domains such as Apple.eth, defi.eth and Wallet.eth.

Unfortunately, OpenSea explained, after the bids, there were issues with the digital assets on the blockchain. This was described as “both a blessing and a curse” of the blockchain, as the problem can never be resolved.

All of the addresses involved in the hack, which amount to 17 in total, are now blacklisted by OpenSea. This was the only way to deal with the situation.

In order to prevent more issues from happening, however, it was decided that the auctions should be halted. After that, the team decided to patch the issues so that the hackers could not attack the auctions again.

It is very unfortunate that hackers were able to cause this level of damage to the auction instead of playing fair. These were costly mistakes and now these addresses cannot be used as they were stolen.