Clicky

An ENS Vulnerability – The 42-char .eth Address You Have to Mint

hackerGot a valuable crypto portfolio full of eth or NFTs? You might want to invest $50 in necessary defensive OpSEC through a .eth on the Ethereum Name Service (ENS). That’s because the ability to make short memorable custom wallet addresses can actually be used in reverse. Let’s take a look:

This is an eth wallet address: 0x64233eAa064ef0d54ff1A963933D0D2d46ab5829
This is an ENS domain address: vap.eth

If you type in vap.eth as the recipient into Coinbase or MetaMask, it will route crypto to the eth wallet address above. vap.eth is much easier to remember! Convenient, right?

This is the same eth wallet address: 0x64233eAa064ef0d54ff1A963933D0D2d46ab5829
This is an ENS domain address: 0x64233eAa064ef0d54ff1A963933D0D2d46ab5829.eth

The 2nd one is programmable to route crypto to any address chosen by the owner of that ENS domain. If that .eth is entered into MetaMask or Coinbase, it would resolve as a valid address. That’s very bad news if the eth wallet address owner doesn’t also own the ENS domain with the same exact string, because all it would take is for an amateur to accidentally put .eth at the end of the address OR for a schemer to hand out that address to someone intending to make a payment or send an NFT to the original.

What to do
It is advisable that you buy the .eth ENS Domain of your wallet address. That can be done at: https://app.ens.domains/