Skip to main content
ENS contracts undergo rigorous security audits to ensure the safety and reliability of the protocol. This page provides information about completed audits and the bug bounty program.

Audit Reports

EthRegistrar Audit (2019)

The ENS .eth registrar contracts were audited by ConsenSys Diligence in February 2019.

ConsenSys Diligence Audit Report

View the complete audit report on GitHub
Scope:
  • BaseRegistrar
  • BaseRegistrarImplementation
  • ETHRegistrarController
  • Price Oracle contracts
  • Commit/reveal registration mechanism
Key Findings:
  • Security vulnerabilities identified and resolved
  • Best practices recommendations implemented
  • Gas optimization suggestions applied

Bug Bounty Program

Covered Versions

The following are subject to the ENS bug bounty program:
1

Release Candidates

All Release Candidate versions (e.g., v1.2.3-RC0, v1.2.3-RC1) are subject to bug bounty upon creation of the GitHub release.
2

Staging Branch

The staging branch is under bug bounty coverage as it represents code intended for production.
3

Main Branch

The main branch is under bug bounty coverage as it represents deployed production code.

What to Report

Report security vulnerabilities including:
  • Critical Issues
    • Unauthorized fund access
    • Unauthorized ownership transfer
    • Contract upgrade vulnerabilities
    • Registry manipulation
  • High Severity Issues
    • Access control bypasses
    • Denial of service vulnerabilities
    • Logic errors affecting name ownership
    • Fuse mechanism bypasses
  • Medium Severity Issues
    • Griefing attacks
    • Gas optimization issues affecting usability
    • Time-based attack vectors
Do not exploit vulnerabilities on mainnet. Report findings responsibly through the proper channels.

Reporting Process

  1. Identify the vulnerability in covered code (RC tags, staging, or main branch)
  2. Prepare a detailed report including:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if applicable)
  3. Submit your report through official ENS security channels
  4. Wait for acknowledgment - The team will review and respond

Audit History

Timeline

DateComponentAuditorStatus
Feb 2019EthRegistrarConsenSys Diligence✅ Complete
Additional audits may be conducted for major contract updates and new features. Check the release notes for specific audit information.

Security Best Practices

ENS contracts follow industry security best practices:

Smart Contract Security

  • Access Control - Role-based permissions using OpenZeppelin contracts
  • Reentrancy Protection - Guards against reentrancy attacks
  • Integer Overflow Protection - Using Solidity 0.8+ built-in checks
  • Upgrade Mechanisms - Controlled upgrade paths with governance

Development Security

  • Automated Testing - Comprehensive test suite with high coverage
  • Continuous Integration - Automated testing on all commits
  • Code Review - Multi-party review for all changes
  • Formal Verification - Where applicable for critical functions

Pre-Deployment Audit Requirements

Before mainnet deployment, the following audit requirements must be met:
1

Create Release Candidate

Tag the commit as a Release Candidate (e.g., v1.2.3-RC0). This version is now subject to bug bounty.
2

Conduct Security Audit

Have the Release Candidate audited by a reputable security firm if necessary for the changes.
3

Address Findings

Fix any issues found during the audit. Create a new RC version (e.g., v1.2.3-RC1) if changes are required.
4

Deploy to Testnet

Deploy the audited version to testnet for final validation.
5

Production Release

After successful testnet deployment and final review, deploy to mainnet.

Responsible Disclosure

ENS follows responsible disclosure practices:

For Security Researchers

  • Report vulnerabilities privately before public disclosure
  • Allow reasonable time for fixes to be implemented
  • Coordinate disclosure timing with the ENS team
  • Receive recognition for responsible disclosure

For Users

If you discover a security issue:
  1. Do not publicly disclose the vulnerability
  2. Do not exploit the vulnerability on mainnet
  3. Do report it through proper channels immediately
  4. Do provide detailed information to help with fixes

Contract Immutability

Important security considerations:
Most ENS core contracts are immutable once deployed. Security is paramount as bugs cannot be easily fixed post-deployment.

Upgrade Mechanisms

Where upgrades are supported:
  • NameWrapper - Has built-in upgrade functionality with owner control
  • Registrar Controllers - Can be replaced via controller mechanism
  • Resolvers - Users can change resolvers for their names

Immutable Contracts

  • ENS Registry - Core registry is immutable
  • Base Registrar - Base .eth registrar logic is fixed

Additional Security Resources

ENS Documentation

Official ENS security documentation

GitHub Repository

Review contract source code

OpenZeppelin Contracts

Security libraries used by ENS

Solidity Security

General smart contract security

Audit Scope

When audits are conducted, they typically cover:

Core Functionality

  • Name registration and renewal
  • Ownership transfer mechanisms
  • Resolver interactions
  • Access control and permissions

Economic Security

  • Pricing mechanisms
  • Premium pricing and decay
  • Refund and renewal logic
  • Fee collection and distribution

Advanced Features

  • NameWrapper fuse mechanisms
  • Subdomain management
  • Expiry and grace periods
  • Upgrade procedures

Questions?

For security-related questions:
Always verify you’re reporting security issues through official ENS channels to ensure proper handling of sensitive information.

Build docs developers (and LLMs) love

Get started for freeTalk to us