A bug in OpenSea, the largest NFT marketplace, made it possible for attackers to buy NFTs on Monday. At significantly submarket prices through multiple wallets via Elliptic’s blockchain analytics service. Crypto assets known as non-fungible tokens (NFTs) record the ownership status of digital files on blockchains. Speculators and NFT enthusiasts use OpenSea to trade their NFTs. In January, $4.8 billion worth of NFTs have been traded on OpenSea.
An error in the marketplace allowed users to purchase certain NFTs at prices they were listed for in the past. Without their owners realizing they were still available. OpenSea did not respond immediately to a request for comment. Elliptic’s co-founder and chief scientist Tom Robinson said, “The exploit appears to originate from the way it was previously possible to re-list an NFT without canceling the previous listing”.
“These old listings are now being used to purchase NFTs at prices previously specified, often much below current market prices.”
The large-scale bug exploitation
On Monday, Bored Ape #9991, a cartoon ape from the Bored Ape Yacht Club collection. That was purchased for 0.77 Ethereum (about $1,747). Despite the fact that most BAYC NFTs sell for hundreds of thousands of dollars. The bored ape yacht club was generated by U.S.-based company Yuga Labs using 10,000 algorithmically generated cartoon ape NFTs. According to Blockchain records seen on OpenSea, Bored Ape #9991, which was bought for 0.77 ether, was sold for 84.2 ether (about $189,040) around 20 minutes later, giving the buyer a profit of more than $187,000.
On Twitter, the NFT’s original owner, identified as “TBALLER.eth” (@T_BALLER6), expressed shock at the transaction, which they claimed they did not authorize:
“Yooo guys! Idk what just happened by why did my ape just sell for .77?????”
“I didn’t list me ape at all…. Now I’m seeing DMs it sold for .77?????? Wtf??????”
Anonymous attacks using different wallets
In all, Eight NFTs have been stolen in this way from eight different wallets by three attacker wallets, according to Elliptic’s Robinson. By exploiting the bug, one person purchased seven NFTs for $133,000 and sold them on for $934,000, Robinson said. Even though crypto wallets are usually anonymous, attackers may be able to be identified if they use an exchange to convert fiat to crypto. Despite the fact that celebrities, investors, and brands are flocking to the NFT market, where sales volumes and prices of some sought-after NFTs have risen eye-watering, the OpenSea bug may cause some buyers to pause.
Founded in 2017, OpenSea’s latest venture funding round valued the company at $13.3 billion. Elliptic data reports that $2 billion has been stolen through hacks since 2020 from users of decentralized finance (DeFi). Generally, it’s not common to see marketplace-wide exploits. Individual users have been hacked and their NFTs stolen, for example through phishing attacks, but it’s rare to see something that could affect the entire market,” Robinson said.