Sunday December 04, 2022

An OpenSea bug allowed attackers to snatch Apes at six-figure discounts from their owners

OpenSea, a popular NFT marketplace, had a bug that allowed hackers to buy rare NFTs at a fraction of their market value. This has resulted in hundreds of thousands in losses for the original owners and hundreds of thousands in profits for the thieves. However, the bug has been exploited more frequently in the last day. Elliptic, a blockchain analytics company, reported that it was used at least eight times in a 12-hour period before January 24th to “steal” NFTs worth over $1 million.
Bored Ape Yacht Club #9991, one of the NFTs was purchased using the exploit technique at 0.77ETH ($1,760). It was quickly resold for 84.2ETH ($192,400), giving the attacker a profit greater than $190,000. In the same 12-hour period, an Ethereum address linked to the reseller had received more 400 ETH ($904,000 in OpenSea payouts.
“It’s subjective whether you consider it a loophole, or a bug. But the fact is that people have been forced into sales at prices they wouldn’t accept right now,” said Tom Robinson (chief scientist and co-founder, Elliptic).
Rotem Yakir, a software developer, tweeted that the bug was caused by a mismatch in the information available in NFT smart contract and OpenSea’s user interface. The attackers are essentially using old contracts that are still available on the blockchain, but are not visible in the OpenSea view.
OpenSea users can sell NFTs by setting an “list price” that potential buyers can see. The nature of smart contracts means that if a buyer accepts the list price, the NFT will be automatically transferred to them. If the owner wishes to re-list an NFT at a higher price, they must cancel the original listing. This can cost a “gas fee” of tens to hundreds of dollars. Some users have gotten around this by transferring the NFT from one wallet to another and then back to their original wallet. This technique removed the listing from OpenSea’s front end display. However, the original listing could still be found via the OpenSea API.
According to CoinDesk, the bug was discovered as early at December 31st 2021. A tweet almost two weeks ago, on January 12th 2022, describes the forced sale NFTs using the same method.
OpenSea’s treatment of the situation is unclear. It is unclear if it considers it an open security flaw, or user error. The company did not respond by the time of publication to a request for comment.

Back to Top
%d bloggers like this: