The hacker who managed to exploit an auction by the Ethereum Naming Service (ENS) to grab top-level domains has voluntarily returned the domains he took.
Since September 1 digital collectibles marketplace OpenSea has been having an Ethereum domain auction, where “.eth” domains are being auctioned to the highest bidder. These domains, unlike those working on the standard DNS domain, can’t be forcibly retrieved once allocated, as they’re on the Ethereum blockchain.
Using an exploit in the auction software distributing the ENS domains to participants, the hacker managed to get a hold of top-level domains like “apple.eth”, “defi.eth,” and “wallet.eth” without being the highest bidder. Overall, the user took 17 domains.
OpenSea wrote in a blog post:
One user discovered an input validation vulnerability that allowed them to place bids on a name that actually issued a different name.
The auction suffered from other issues, as domains like “bitmex.eth” and “hodls.eth” had bids incorrectly processed. These weren’t, however, affected by the exploit. The affected domains were initially blacklisted by OpenSea, although the marketplace asked the hacker to return the domains so they can be re-auctioned.
In return, it offered the hacker a reward of 25% of the final auction price, as well as the original bid. The offer seems to have worked as on Twitter, OpenSea revealed the domains were voluntarily returned.
Update: the stolen ENS names were all returned successfully to @ensdomains! 🤗Thanks for supporting the community; we’re working hard to restart bidding this week before #devcon5 and will send out emails to bidders when it’s ready
— OpenSea (@opensea) October 3, 2019
Featured image via Pixabay.
