Lessons Learned Squatting ENS Domains

Billy Rennekamp
7 min readOct 16, 2018

I’m here and ready to repent; I’m here to atone by sharing what I’ve learned while foraging in the underbelly of the Ethereum Name Service. Read on for the full story, or click here to jump straight to the good stuff.

Amateur Hour

My bad behavior began as a desire to understand what happened when I, myself, lost an ENS auction to a domain squatter. I was feeling confident after securing my own name billyrennekamp.eth while only spending the lowest amount possible. I had made my .01 ETH bid then set an alarm to come back 3 days later to reveal it. After waiting another 2 days for the reveal period I saw there were no other bids, which meant I could close the auction and claim my name. Feeling confident, I tried the same technique with clovers.eth, a name I intended on pointing to the art game Clovers.Network. Alas, it was snatched away by 0x87617ad4624da516e7191ba6fbb69d28c0a0ac82, hereto forth known as 😈DwarfPool👿.

The First Cut is the Deepest

To add insult to injury, I quickly realized that 😈DwarfPool👿 didn’t even pay the .5 ETH they’d bid in order to win over my .01 ETH. This was due to the fact that .eth domains are handled by a Vickrey Auctionthe winner only pays as much as the second place bidder was willing to spend. If I had bid what the domain was actually worth to me, maybe I’d really appreciate this feature. However I didn’t take the process seriously and as a result I lost it all. Fueled by remorse I began a post-mortem to understand exactly how my adversary had foiled me.

Rainbow Table > Namehash

The first thing I needed to understand was how😈DwarfPool👿 even knew about the auction. While Ethereum transactions and events are always visible on block explorers, ENS names are hashed with a technique called Namehash (EIP 137). This keeps names cheap to store on chain and adds a layer of privacy to the auction process. However, thanks to Rainbow Tables utilized by Etherscan and other services, many common words are pre-hashed and compared against the incoming auctions. Just look here to see which names get exposed in plain text. 😈DwarfPool👿 must have been watching when clovers.eth popped up in that list, ripe for the picking.


I call 😈DwarfPool👿 a squatter because they have yet to put the domain to use. I call myself a stalker because I turned on email notifications with Etherscan to ping me every time their account is touched. I’ve also signed up with enslisting in case the domain is put up for sale. These measures have proven limited and when the ENS workshop & hackathon rolled around last August I decided to take matters into my own hands. Teaming up with Pedro Gomes from @walletconnect and Ryan Le from @buyethdomains, we decided to add liquidity and accessibility to ENS domain names by converting them into ERC-721 Non-Fungible Tokens.

Enter ENS Nifty

Thus was born a new and free service called ENS Nifty. Similar to how Wrapped Ether (W-ETH) provides Ether with all of the benefits of an ERC-20 token, ENS Nifty provides ENS domain names with all of the benefits of ERC-721 Non-Fungible Tokens.

Here’s how it works:

  1. 🔓 Go to ENSNifty.com and unlock your wallet
  2. 🔀 Transfer your domain deed to our contract and redeem it as an NFT
  3. 💸 List it on markets like OpenSea (link) and Rare Bits (link) or use it as collateral for a loan from Dharma Protocol
  4. 🏡 When the domain is ready to be used by an ENS resolver, come back to ENSNifty.com and convert it back to a deed

Our contract is a fully compliant with ERC-721 and received a code review from Dean Eigenmann of ENS and zklabs. The contract just holds onto your ENS name deed until the NFT is redeemed. Check out the verified code on Etherscan and our github profile to see the code yourself.

Full Descent

Returning to the goal of enticing 😈DwarfPool👿 to use ENS Nifty to list clovers.eth, I still needed to make the standard popular. To do so I decided to borrow the nefarious techniques employed by my adversary in order to catch and release some domains of my own as a sort of “dogfood marketing scheme”. Below are the spoils I acquired in the process.

Be aware that I’m not totally nefarious; I’ve attempted to contact each of these auction instigators in order to return their domains (If you’re one of them, Hello! Thanks for reading!). Further down the page is the method I developed for winning auctions and tips for protecting yourself against my simple attack.

Victims (Amount Spent)

Please note that the Marshall McLuhan domain was the first to be returned to its owner using the ENS Nifty format via an Opensea auction. For anyone familiar with his work I hope you appreciate the implications. Also please note that I took great care in choosing which domains to squat; FWIW I’m really proud of acquiring chaddad.eth(knowyourmeme.com).

Instructions for the Attack

  1. Check the ENS Auction Bot and Etherscan for names that have been exposed by Rainbow Tables and are still OpenForBidding.
  2. Check if the name was begun with StartAuctionAndBid() or StartAuctionsAndBid() which exposes the amount of the initial bid—look for bids of .01 ETH.
  3. Go to MyEtherWallet (MEW) or MyCrypto and make a sealed bid on that domain, but make sure you increment it a tiny bit from the minimum—something like .0100001 ETH will do.
  4. Wait 3 days, reveal your bid and hope that the other participant was as foolish as I once was.

Defense Instructions

ENS auctions are designed with a built in defense mechanism: the masked bid. This allows you to hide your actual bid by sending a much larger amount. After the auction you are able to withdraw the difference. This is only really useful if you use the StartAuctionAndBid() method, which forces you to expose your initial bid. This method also requires you to actually have some large amount of Ether on standby that can be used for your bluff. If that’s not the case follow these instructions:

  1. MEW and MyCrypto don’t allow you to use StartAuction() on their default ENS interface, but there’s a really helpful hidden page on their legacy site called “Helpers & ENS Debugging”. There are instructions for using it here. This method allows you to begin an auction without revealing how much you’re willing to spend on it to anyone who may be watching. It also sends an “expert mode” signal to any would-be squatters that let’s them know this isn’t your first rodeo.
  2. Now you can use the default ENS interface with MEW or MyCrypto and make a sealed bid for your name at some amount above .01 ETH. Try to figure out how much the name is really worth to you, but to foil my minimal attack use at least .011 ETH .
  3. OK, actually that’s it. I mean, DON’T FORGET TO REVEAL YOUR BID AFTER 3 DAYS. All that work will be wasted if you don’t reveal the bid. After that you can take your time closing the auction and collecting any outstanding bid amount—but if you miss that 2 day window after those first 3 days, you’ve either lost your name or need to start all over again.

Use Responsibly

Please enjoy the slimy skills you’ve just acquired—use them responsibly. Take a look at the auctions at OpenSea and RareBits; buy a domain, sell a domain; 👏 smash 👏 that 👏 clap 👏 button 👏 and have a nice day 🌤

My name is Billy Rennekamp. I’m a co-founder of Bin Studio, a multidisciplinary research, design and development studio based in Berlin. We’re currently developing Clovers Network, an NFT art game supported by the ECF - Ethereum Community Fund. I work on a lot of other great projects including Meme Lordz, Harberger Ads, Doneth, and Cosmos Network. If any of that sounds interesting to you, follow my twitter or my github or just say hello 👋

P.S. You can follow the ENS Nifty twitter here 🐣

P.P.S. If you’d like to donate to the project 🤑 feel free to send some ETH to donate.ensnifty.eth (0xa4f29fc548856180f6b1e319ee4d86715875cce4)