Millions of dollars of NFTs sold for fraction of market price due to OpenSea loophole
A loophole on OpenSea allowed malicious individuals to buy more than $1 million worth of NFTs.
Buyers were able to purchase popular NFTs at older, lower prices. One person’s Bored Ape Yacht Club NFT, priced at 128 ether, was sold for 87 ether – a difference of $90,000 in profit.
NFTs (non-fungible tokens) are digital receipts of images stored on the blockchain. Buyers do not own the copyright of the original image, only the code behind the replica or ‘token’.
"Listings made a long time ago are resurfacing when items transfer back into listers’ wallets," OpenSea, the largest marketplace for NFTs, said in a tweet on Monday.
“We can’t cancel these orders for listers, so to fix the problem, we launched a new listings manager today.”
The bug has been exploitable since 1 January, and in the 12 hours before 24 January had been used at least eight times to “steal” NFTs with a market value of over $1 million according to blockchain analytics company Elliptic.
The bug is caused by a mismatch between the information in NFT smart contracts and the information in OpenSea’s user interface. The old contracts still exist on the blockchain but are no longer present in the view shown by OpenSea.
Coindesk reports that the bug was discovered as early as 31 December 2021.
Earlier this month, OpenSea had to freeze NFTs stolen by hackers who attempted to sell them on the platform. However, this goes against the decentralised philosophy of crypto advocates, who argue that blockchain technologies do not require external oversight.
Critics say centralised platforms, such as OpenSea, have historically had significant vulnerabilities. Check Point Research had previously found a security vulnerability in the platform to let hackers hijack user accounts and steal entire wallets.
“Since this issue was identified, we’ve taken it incredibly seriously and worked to ship product solutions for the community. This is not an exploit or a bug – it’s an issue that arises because of the nature of the blockchain. OpenSea cannot cancel listings on behalf of users. Instead, users must cancel their own listings”, an OpenSea spokesperson said in a statement.
“It’s OpenSea’s priority to make users aware of all their listings, and we’re working on a number of product improvements to address this, including a dashboard where they can easily see and cancel listings. In addition, we have been actively reaching out to and reimbursing affected users. We have not communicated broadly about this issue because we did not want to risk bringing it to the attention of bad actors who could abuse it at scale before we had mitigations in place.”
