ENS name stolen from wallet. Retrievable?

Hello - My MetaMask wallet was hacked recently and all my ETH, NFT’s and ENS names stolen. Is it possible to reclaim my ENS name? I have proof of purchase on ENS site and I can show you when it was stolen. Thanks

Sorry for your loss. It’s gone. Please consider using MetaMask over a hardware wallet or set up a multisig wallet next time.

Lesson learned. Thanks for the reply!

2 Likes

Hey @jmglancy, I’m so sorry to hear your account was compromised and you lost this stuff.

For future reference, there’s a possibility of getting your ENS name back if you separate the Registrant and the Controller between two different accounts.

The Registrant address of the ENS name has full access to that name. The Controller address can edit the records of the name, but cannot change the Registrant. So generally, a quite safe method of holding/managing your ENS name is to have a cold storage account be the Registrant, and have your daily driver / hot wallet be the Controller. That way, if the daily driver / hot wallet gets compromised, you can get that ENS name back by accessing your cold storage aka Registrant account.

Reference: Terminology - ENS Documentation

3 Likes

That makes sense. I didn’t know you could break up addresses like that on the ENS name. I would have done that for sure. Thanks for sharing.

1 Like

It’s my pleasure. Again, I’m sorry about this situation - never fun to have things taken away from you. Almost feels like everyone learns this lesson at least once and it’s such a painful lesson that we all elevate our security 10x afterwards so it doesn’t ever happen again.

Feel free to reach out if you ever have questions or need help with anything!

Technically, you can also transfer the domain to a burn address, while still being able to change records if you keep being the controller. Renewals can be made from any address. Keep in mind you won’t be able to transfer / sell your domain in the future if you do this though.

This is what I would do. Transfer my ENS domain names to a dedicated wallet address, as the Registrant, that has a connection to 2FA account. I set my CBW to face ID for transactions. Second, CoinBase Wallet does not have 2FA, but when I select 2FA security key on my CoinBase.com account, it somehow prevents CBW notifications from going to my phone, so I can’t sign transactions. Each time I want to receive CBW notifications on my iPhone, I have to change my 2FA selection in my CoinBase account to text messages security (I change it back to security key later). Lastly, since I need $ETH in the account to pay gas fees for any transaction from it, I would keep my balance of $ETH extremely low, as an additional measure to prevent transactions from the account.

1 Like

I am dealing with something very similar. I noticed recently that one of my ENS domains, “robloxian.ens”, was missing. The transfer out of my wallet happened about a week ago without my knowledge. I see now that whoever took my NFT is attempting to sell it (along with many other NFTs) on multiple sites.

I originally minted the ENS domain in November of 2021 with my Metamask wallet address 0x361fC0ED3D5a3d0bDfDfde855E46d9c04de6b7eE, and sometime shortly after transferred it to my CoinBase wallet address 0x2d63bf0766c94d54955b6cb4044babe6b0b58bab. My Metamask wallet is still the “controller” on the ENS website, but address 0x6F69D2Efe0e663506d4Ee3A5DdB72D14aE8f8D56 (whoever this is) is now the “registrant” and can do with the name as they wish?

Also, maybe they blocked me, but I cannot view this person’s OpenSea account. I can see what they are selling (along with my ENS domain) on x2y2.io. I’m even attempting to buy it back (how dumb is that?) bc it was for my son, a HUGE Roblox fan.

I don’t know how this happened, but this looks to be the only thing missing from my wallet. I will include a bit more information below.

Sorry for the long read. Thank you in advance for any help.

Transaction: 0x1956c0c59910e308ad5c59ff4512ba32995661920a03c34218025f6747b64a0c

Contract: 0x57f1887a8BF19b14fC0dF6Fd9B2acc9Af147eA85

Hi,
This just happened to me. No clue what or how it happened. Were you able to recover you ens Domain?
I am still the controller but they changed the registrant.

This is why ERC721 is so bad as a standard. Default blanket Approvals, but with no fail stops in the code or whitelisted addresses to stop approval attacks. You shouldn’t need to send domains to fresh addresses.