The domain names which end in the top-level domain extension .eth included some premium names such as apple.eth, defi.eth, wallet.eth and coffeeshop.eth. According to OpenSea, the hacker exploited a vulnerability that allowed him to acquire the domain names despite not being the highest bidder.
“One user discovered an input validation vulnerability that allowed them to place bids on a name that actually issued a different name,” the auction marketplace wrote in a blog post.
The domain names were blacklisted since the nature of the blockchain does not allow for any changes. Ethereum is immutable and since these domains were issued on the Ethereum blockchain, OpenSea was unable to reassign those domains to the highest bidders. They appealed to the hacker to return the domains in exchange for a reward for discovering the bug. They offered him/her/them as much as 25% of the auction proceeds for the 17 domains. It seems this offer was too good for the hackers to pass on it.
“We appreciate the work you’ve done exposing vulnerabilities in the auction system. […] To compensate for the work you’ve done to expose these vulnerabilities, we’re prepared to offer you 25% of the winning bid price of each name you return. We’ll also refund your purchase price.”
According to a Twitter update by OpenSea on Friday, the hacker returned all the domains to be re-auctioned.
“Update: the stolen ENS names were all returned successfully to @ensdomains!” OpenSea wrote in the tweet. “Thanks for supporting the community; we’re working hard to restart bidding this week before #devcon5 and will send out emails to bidders when it’s ready.”
One of the returned domain names, Coffeeshop.eth has already received bids with the highest being 100 WETH (Wrapped ETH) which is worth about $14,000.)