Hackers exploited an existing bug in the OpenSea platform to purchase multiple NFTs worth over a million dollars at drastic six-figure discounts.
Elliptic Reports NFT Loss On OpenSea
NFTs across multiple wallets were targeted in the hack, where the attackers were able to buy them at previously listed prices without tipping off the owners. OpenSea is yet to make a comment or an announcement regarding the attack, which was first noticed and reported by blockchain analytics company Elliptic.
According to chief scientist and co-founder at Elliptic, Tom Robinson
"The exploit appears to come from the fact that it was previously possible to re-list an NFT at a new price, without canceling the previous listing. Those old listings are now being used to buy NFTs at prices specified in the past - often well below current market prices."
Bug Exploited To Snatch NFTs
One of the NFTs stolen by exploiting this bug was Bored Ape #9991 from the popular Bored Ape Yacht Club collection. The NFT was bought for 0.77 ETH (around $1747), a drastically low price for a Bored Ape NFT, usually selling for hundreds of thousands of dollars. However, the owner at the time of the sale was not aware that NFT had been listed for such a lowball amount. Soon after that, the same NFT was sold for 84.2 ETH (approx. $189,040), accounting for a significant profit of over $187,000.
CEO Robinson has pointed out a total of eight NFTs that have been stolen in this manner. The originating wallets were all different, while the total attacker wallets were just three. Another attacker wallet was able to acquire seven NFTs for $133,000, while a third one acquired another Bored Ape NFT for a measly 23 ETH.
How Is This Bug Created?
In a Twitter thread, software developer Rotem Yakir has summarized how the bug was created from a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Ultimately, the bug lets attackers access old contract prices that still exist on the blockchain but are blocked from view on the OpenSea application. Potential buyers on OpenSea make a bid on the visible “list price” as set by the NFT owner. Once a buyer accepts the list price, the ownership of the NFT is automatically transferred to them.
The bug is created when owners want to re-list their NFTs at a higher price but do not want to pay the gas fees to cancel the first listing. So instead, they transfer the NFT to another wallet and then back to the original wallet. Doing this removes the listing from OpenSea’s front-end. However, the original listing stays active on the blockchain and can be found through OpenSea API.
It is interesting to note that this bug had been discovered back in December 2021. Furthermore, even in January 2022, a Twitter thread shone a light on the forced sale of NFTs with this method. However, no preventative action was taken by OpenSea at the time.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.