05 March 2020

ENS releases a post mortem breaking down its costly fix of a smart contract bug

Ethereum Name Service (ENS) developers spent roughly 140 ETH migrating its domain name registry to address a vulnerability in the system. The costly bug, first revealed by security researcher Sam Sun in Nov. 2019, would allow a user to reclaim ownership of a previously sold or transferred address. In response, ENS decided to migrate its entire system, consisting of over 450,000 names, to a new contract, spending over $25,000 in gas fees (ETH was $180 at the time the fix began). The team completed the migration on Feb. 10 and, upon further review of the bug, “were able to say with a large certainty that the vulnerability was not exploited.”

Why it matters: - Open-source code presents a double-edged sword; anyone can help debug or exploit the system should a vulnerability exist. Despite pre-deployment testing periods, many Ethereum apps rely on bug bounty programs, such as ENS and Maker, to incentivize white hat hackers to covertly disclose vulnerabilities so project teams can make the right adjustments. - Sam Sun has quickly become one of the unsung heroes within the Ethereum developer community. The security researcher uncovered several other critical bugs in project codebases, such as 0x, Livepeer,, and Authereum, in addition to ENS, before less altruistic hackers took advantage of these vulnerabilities.

