Marketplace exploit leads to catastrophic losses for NFT collectors
An API issue on popular NFT marketplaces OpenSea and Rarible has led to NFT collectors incurring massive losses on their prized Bored Apes and Cool Cats.
The error was caused by NFT collectors incorrectly cancelling their listings on OpenSea by opting to transfer their assets to another wallet in an attempt to avoid paying cancellation fees, which can fetch up to $100 based on gas prices.
This method was assumed to have ‘cancelled’ the listing as it no longer showed as ‘listed’ on the front end of OpenSea’s user interface.However, the listings were still accessible as older ‘listings’ on alternative marketplace Rarible, which uses data from the OpenSea API to list and display NFTs for sale.
Over time, collectors began transferring their NFTs back to the original wallet. Now, unbeknownst to them, their prized assets were again purchasable for unbelievably low prices as the listings were still ‘valid’ on Rarible.
As collectors began to transfer their NFTs back to the original wallet, the listings remained ‘open’ on Rarible as the blockchain still recognised that the NFT was listed at the original listing price.
However, collectors still began losing their prized assets for unbelievably low prices as the OpenSea front end showed that the listings had been cancelled and were no longer available, meaning that they remained oblivious that their prized assets were still purchasable, leading to catastrophic losses for a select few.
The exploit started early this morning with a number of below-market-value purchases from OpenSea user ‘jpegdegenlove‘ for three Bored Apes, two Mutant Apes, a Cool Cat and a Genesis CyberKongz NFT.
It’s now believed that the exploiter interacted directly with smart contracts to ‘bypass’ the OpenSea interface and discover the listings that were still available for purchase ‘on-chain’ – thus making them purchasable without the holders being aware.
The person behind the exploit, ‘jpegdegenlove’, has managed to gain around 332 ETH ($737k) following the exploit
Following the low-ball purchases, the NFTs were then relisted at their perceived market value and instantly snapped by other collectors seeking the rarest assets available on the market.
Collectors are now being urged to cancel their older listings on Rarible to ensure that their assets are safe from the exploit. In addition, some prominent members of the Bored Ape community are planning on opening a fund to help recuperate the losses incurred by the unfortunate BAYC holders affected.
Rarible did move swiftly to encourage users to cancel their older listings when the exploit was first discovered by cancelling all OpenSea orders on its platform and informing users on how to properly cancel their listings.
Today’s exploit now provides the first stark reminder of the potential ramifications of the exploit and the costly mistakes that can be made in the unpredictable NFT space.
