Lessons Learned Squatting ENS Domains

Amateur Hour

The First Cut is the Deepest

Rainbow Table > Namehash


Enter ENS Nifty

  1. 🔓 Go to ENSNifty.com and unlock your wallet
  2. 🔀 Transfer your domain deed to our contract and redeem it as an NFT
  3. 💸 List it on markets like OpenSea (link) and Rare Bits (link) or use it as collateral for a loan from Dharma Protocol
  4. 🏡 When the domain is ready to be used by an ENS resolver, come back to ENSNifty.com and convert it back to a deed

Full Descent

Victims (Amount Spent)

Instructions for the Attack

  1. Check the ENS Auction Bot and Etherscan for names that have been exposed by Rainbow Tables and are still OpenForBidding.
  2. Check if the name was begun with StartAuctionAndBid() or StartAuctionsAndBid() which exposes the amount of the initial bid—look for bids of .01 ETH.
  3. Go to MyEtherWallet (MEW) or MyCrypto and make a sealed bid on that domain, but make sure you increment it a tiny bit from the minimum—something like .0100001 ETH will do.
  4. Wait 3 days, reveal your bid and hope that the other participant was as foolish as I once was.

Defense Instructions

  1. MEW and MyCrypto don’t allow you to use StartAuction() on their default ENS interface, but there’s a really helpful hidden page on their legacy site called “Helpers & ENS Debugging”. There are instructions for using it here. This method allows you to begin an auction without revealing how much you’re willing to spend on it to anyone who may be watching. It also sends an “expert mode” signal to any would-be squatters that let’s them know this isn’t your first rodeo.
  2. Now you can use the default ENS interface with MEW or MyCrypto and make a sealed bid for your name at some amount above .01 ETH. Try to figure out how much the name is really worth to you, but to foil my minimal attack use at least .011 ETH .
  3. OK, actually that’s it. I mean, DON’T FORGET TO REVEAL YOUR BID AFTER 3 DAYS. All that work will be wasted if you don’t reveal the bid. After that you can take your time closing the auction and collecting any outstanding bid amount—but if you miss that 2 day window after those first 3 days, you’ve either lost your name or need to start all over again.

Use Responsibly



