OpenSea Bug lets attackers buy rare NFTs for a dirt-cheap price.

    OpenSea, the online marketplace for non-fungible tokens, has had been compromised with, many a time. Although the platform routinely fixes its vulnerabilities, sometimes a careless mistake on the part of users breaches that security.

    An OpenSea bug, which was discovered back in December 2021, has reportedly allowed three hackers to buy rare and valuable NFTs for a very low price and get a good profit out of them.

    How the whole transaction took place-

    • The bug allowed the hackers to buy NFTs at their much older and hence lower prices. This has been a result of a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface.
    • The OpenSea platforms lets users set their own “list price” for the potential buyers, and as soon as the buyer accepts the price, the NFT is automatically transferred to them. This transaction takes place without the confirmation of the seller, who only has the right to put up the price tag.
    • This interface has forced the sellers to sell their NFTs at a much lower price due to the bug which uses the older links for the purchase.
    • The reason that there were more than one links for the same NFT is simple. When a seller wants to set up his NFT for a higher price, he/ she has to take down the initial list price offering by paying a “gas fee” which may cost the person tens or hundreds of dollars. After paying the gas fee, a new link, having a higher list price for the NFT is generated.
    • The attackers found this old link through the OpenSea API and “stole” the rare NFTs for their older prices. As soon as they bought them, they immediately resold the NFTs at a much higher price, earning thousands of dollars.

    Cost and the profit-

    Although the bug has been there for a few weeks, it has only been recently that attackers started exploiting the bug and gained massive profits.

    According to blockchain analytics firm Elliptic, one attacker paid the older price of “$133,000 for seven NFTs – before quickly selling them on for $934,000 in ether.” Five hours later, this ether was smartly sent through Tornado Cash. Tornado Cash is a non-custodial privacy solution that provides “a sort of ‘mixing’ service that is used to prevent blockchain tracing of funds.” he further stated.

    It was also reported that during a 12-hour stretch before the morning of January 24th, the bug was exploited around 8 times. This accounted for the theft or forceful sail of NFTs with a market value of over 1 million dollars.

    Bored Ape Yacht Club sold at 0.77 ETH

    Among the NFTs that were purchased through this exploit technique, was the Bored Ape Yacht Club #9991 which was sold for 0.77 ETH ($1,760) and quickly resold for 84.2 ETH ($192,400).

    Among other affected NFTs, Mutant Ape Yacht Club, CyberKongz and Cool Cats NFTs were the rarest and most valuable.

    One of the attackers, Jpegdegenlove partially reimbursed two of its victims. He paid them a total of $75,000.

    OpenSea confirmed that the older link will exist if you had an open listing that you never cancelled, or didn’t hit its expiration.

    This should come as a warning to users, even though their item does not appear to be at OpenSea front end, it can still be accessed through OpenSea’s Application Programming Interface (APIs).

    Stay in the Loop

    Get the daily email from CryptoNews that makes reading the news actually enjoyable. Join our mailing list to stay in the loop to stay informed, for free.

    Latest stories

    You might also like...