ENS back testing bug bounty

About The ENS

After several weeks of being offline, the Ethereum Name Service (ENS) is returning, allowing users to once again bid on their own vanity names for their Ethereum addresses.

The addresses used in cryptocurrency transactions are not exactly user-friendly. Unlike the simple email addresses or phone numbers used by money transfer systems like Venmo, PayPal, or Circle, the Ethereum network uses 42-character hash strings to identify accounts or wallet contracts. The ENS seeks to change that by allowing users to register their own names with the .eth suffix (such as ‘vitalik.eth’) instead of having to remember the clumsy cryptographic string or scan a QR code. This feature would be a huge breakthrough for the Ethereum network, as simplifying Ether transactions in this way could easily spark a much wider adoption of the technology on a global scale.

Since its original launch and subsequent takedown on March 14, the developers have been working to track down and fix the problems in the ENS code. One problem allowed people to bid during the reveal phase, while another allowed people to win auctions without having to remit payment.

A Look At The Problems

A postmortem report was issued on March 20 that identified the root causes of the launch problems. The report concluded that there was insufficient review of the code, a lack of a formal independent audit, reluctance to cancel the launch after the first bug was found, and several other factors that all contributed to the initial failure. A second paper offers the perspective of the ENS contributor Maurelian, who points out that there was a lack of incident response planning or a playbook outlining contingencies and how to deal with them. A lack of an official “bug bounty” was also cited, and may have helped to eliminate problems earlier on. Maurelian stated: 

“This is an important moment for the Ethereum community to show what it’s made of. The reaction so far has been overwhelmingly understanding and supportive, and I hope that continues. This kind of even headed response will allow developers to learn and improve, and ultimately contribute to a much stronger ecosystem.”

In the last few weeks, the originally identified bugs were fixed and a complete audit (1,2) of the codebase was completed by independent developers Piper Merriam and Martin Holst Swende between March 23 and March 31. According to the public audit report released on April 6, several minor issues and no major ones were identified. Nick Johnson says, “Both auditors identified a couple of situations in which the code could be improved to prevent user error and to make it easier to read and maintain, but neither found significant issues with the contract itself. Given that, we feel comfortable proceeding with a launch in the near future.”

Moving Forward Toward Re-launch

The ENS team also brought on Chris Remus shortly after he wrote an article about how having a project manager could help its next launch succeed. In the article he reviewed the post-launch reports, made several positive suggestions, and stated that “[a] blockchain project manager keeps an eye on the big picture.” He took on the role of ENS Project Manager on March 31.

Since then, the ENS development team has been working toward its second launch. Johnson, in a recent reddit discussion about the audit report and what is next for the service, said, “We are instituting a bug bounty – and a soft rollout.” The ENS bug bounty, which is now live, is part of the Ethereum Bug Bounty Program. People are encouraged to find bugs in the Ethereum code via this effort and are rewarded for doing so. Participants find errors and exploits and report them before they are identified and used by a malicious user. The bugs that are covered by this bounty are:

  • Flaws making it possible to gain unauthorized access to, or prevent the authorized withdrawal of, funds locked in Deeds.
  • Flaws making it possible to interfere with, or make modifications to, an ENS-domain belonging to another user.
  • Flaws in the auction that affect the legitimacy of auction results.

In the latest post from Johnson, he also describes the new soft rollout: 

“All auctions will run for 3 days, followed by a 2 day reveal period. The launch dates for each name will be staggered out over an extended period – currently 13 weeks. So while some names will be available almost immediately after launch, others will take days or weeks to become available.” He also says that “for testing purposes, the ‘soft launch’ period on Ropsten [testnet] is much shorter than it will be on mainnet – just 4 weeks.” So, barring any major roadblocks, look forward to the relaunch of the Ethereum Name Service in about a month.

The latest updates on the ENS can be found on its medium page. For a more in-depth look at the ENS, see this previous ETHNews article.

Bowen is a technology evangelist, writer, and speaker on a variety of subjects. He is enthusiastic about blockchain, cryptography, and other disruptive technologies and their ability to make the planet a better place. Bowen is a Guest Writer whose views and opinions do not necessarily reflect those of ETHNews.
ETHNews is commited to its Editorial Policy
Like what you read? Follow us on to receive the latest on Ethereum Name Service, ENS or other Ethereum ecosystem news.
   

Subscribe to our Newsletter

* indicates required
Email Address *
First Name
Last Name
Country
News Categories of Interest