OpenSea — the world's top non-fungible token (NFT) marketplace — is returning millions of dollars to users due to an alleged bug.
What Happened: OpenSea is contacting and refunding users affected by what many believe to be a bug that allows other users to acquire NFTs at reduced prices.
An OpenSea representative told tech news outlet ZDNet that while it is taking steps to remedy the damage, it "is not an exploit or a bug — it's an issue that arises because of the nature of the blockchain."
Blockchain-specialized cybersecurity firm Elliptic claims to have identified at least three attackers who acquired at least eight NFTs at a significant discount by taking advantage of the issue at hand. This includes NFTs that are part of major collections such as Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz NFTs.
An Elliptic blog post explains that "the exploit appears to originate from the ability to re-list an NFT at a new price, without canceling the previous listing" that are then "used to purchase NFTs at prices specified at some point in the past — which is often well below current market prices."
For instance, "jpegdegenlove" paid $133,000 for seven NFTs and then sold them on the platform for $934,000 — an amount nearly seven times higher than what he paid for the tokens. "Jpegdegenlove" then processed his proceeds through anonymizing service Tornado Cash to prevent the funds from being tracked.
To make things worse, community members accuse OpenSea of asking its users to take actions that made them vulnerable to such an attack. NFT collector "dingaling" explained that it is unwise to cancel inactive listings as the marketplace advised its users to do in a recent email.
Instead, he said that users should first transfer their NFTs to a different address and cancel the listings on the original address before sending it back to prevent attacks. He said that OpenSea "just put everyone at even more risk than before" since it "makes the exploit much easier to execute."
The collector explained that by canceling the listings users made finding them much easier, allowing attackers to front-run them and acquire the NFTs before the listing cancelation was complete. The way he put it, "you are basically handing out your NFT listing details on a silver platter to be front-run."
Photo: OpenSea You Tube screenshot
