OpenSea Bug Leads To Massive NFT Loss

Hackers used an OpenSea bug to buy multiple NFTs for over a million dollars at dramatic six-figure discounts.

Elliptic Reports NFT Gains on OpenSea

The hack exposed NFTs from multiple wallets. The attackers were able buy them at previously listed prices and not tip the owners. OpenSea has yet to comment on the attack. It was first reported by Elliptic, a blockchain analytics company.

According to Tom Robinson, chief scientist at Elliptic and co-founder of the company, Robinson

The exploit seems to be based on the fact that an NFT could previously be re-listed at a new price without having to cancel the existing listing. These old listings can be used to purchase NFTs at prices that were specified in the past, often much lower than current market prices.

Bug Exploited To Snatch NFTs

Bored Ape #9991 was one of the NFTs that was stolen from this bug. It is part of the Bored Ape Yacht Club collection. The NFT was purchased for 0.77 ETH (around $1747). This is a very low price for a Bored Ape NFT. These NFTs are often sold for hundreds of thousands of dollar. The owner of NFT was unaware that NFT was listed at such a low price. The same NFT was soon sold for 84.2ETH (approx. $189,040, a substantial profit of more than $187,000.

CEO Robinson pointed out eight NFTs that were stolen in this way. All of the originating wallets were different, but only three attacker wallets. One attacker wallet was able acquire seven NFTs at $133,000 while another one purchased another Bored Ape NFT at a paltry 23 ETH.

How is this bug created?

Rotem Yakir, a software developer, has posted a Twitter thread that explains how the bug was created by a mismatch in the information available to smart contracts and OpenSea’s user interface. The bug allows attackers to access contract prices that are still available on the blockchain, but are hidden from the OpenSea app. OpenSea allows potential buyers to bid on the “list price”, as determined by the NFT owner. The NFT owner automatically transfers ownership to the buyer once they accept the list price.

This bug occurs when owners wish to relist their NFTs at higher prices but don’t want to pay the fees for cancelling the original listing. Instead, they transfer their NFTs to another wallet and then return to the original wallet. This will remove the listing from OpenSea’s front-end. The original listing remains active on the blockchain. It can be found via OpenSea API.

This bug was discovered in December 2021. It’s interesting. A Twitter thread exposing the forced sale NFTs using this method was also posted in January 2022. OpenSea did not take any preventative measures at that time.

Disclaimer: This article is intended for informational purposes only. This article is not intended to be used for legal, tax, investment or financial advice.

Read More