Premier NFT marketplace OpenSea may have successfully leveraged the NFT boom for a monster $13 billion valuation, but it's system is still riddled with security flaws, one of which was just successfully exploited by hackers, resulting in the theft of $1M in digital assets.
Elliptic reports that a bug on OpenSea's marketplace has played a role in at least three attacks. Hackers managed to use the bug to purchase at least 8 NFTs for much less than what was considered their "fair market value". All three incidents had occurred within a day of the report.
One of the attackers paid just $133K for seven NFTs by exploiting the bug - only to turn around and sell them immediately for $934K.
In another example, an NFT belonging to the Bored Ape Yacht Club series was bought for just 0.77 ETH (just $1,800 as of Monday morning). Many other members of the family have sold for around $200K.
The sale of that BAYC member caught the attention of other niche sources of crypto-related news and gossip.
⚠️⚠️⚠️ WARNING ⚠️⚠️⚠️— Sir Bitlord (@crypto_bitlord7) January 24, 2022
MAJOR OPEN SEA BUG ALLOWING HACKERS TO STEAL YOUR #NFTS 🚨
-Please check your listings were taken down appropriately or you can be scammed instantly but the hackers.
Check my RT and also listen up 👇 pic.twitter.com/qBtIgmw6cL
As of 1000ET on Monday, the attacks appear to be ongoing.
An #OpenSea bug has caused a #BAYC #NFT to sell for less than 1% of its true value ($2,000) on #Rarible!— Novum Insights (@NovumInsights) January 24, 2022
Find out more about how a 'life-hack' to avoid paying gas-fees is putting millions of dollars at risk. #NFTs #LooksRare $ETH
This means OpenSea users might want to think twice before listing one of their precious blockchain gifs for sale, lest it be snatched up by a hacker for far less than you paid for it.
One Twitter user created a step by step breakdown of how the hacks unfolded:
Before we start - know that this thread has limited space so I'm only covering main issues. It's intended for education purposes only and all information shared is publicly available ...— OKHotshot.eth (@NFTherder) January 24, 2022
1) Today a scammer was able to buy multiple high valued #NFTs because he found the previous listings of those nfts through a loophole— OKHotshot.eth (@NFTherder) January 24, 2022
How was it done and how can you prevent this from happening to your nfts? 👇👇
2) A scammer known as 'jpegdegenlove' used a money mixer to send 10Ξ to a newly created wallet before executing this attack— OKHotshot.eth (@NFTherder) January 24, 2022
He then bought a CoolCat for 3E & Bored Ape for 0.77E, with current floors of 12Ξ and 86Ξ❗️
What happened next? pic.twitter.com/LiddepondM
3) Within 20mins the scammer sold the CoolCat for 11Ξ, and used the profits to buy another #BAYC for 6.66Ξ— OKHotshot.eth (@NFTherder) January 24, 2022
Then repeats the pattern of buying and selling various
high valued #NFTs for about 90 minutes pic.twitter.com/pEFZNuJCsg
4) So how is this possible? Because of improper delisting. Example: If you list your NFT for 3Ξ but then cancel that listing you have to pay gas— OKHotshot.eth (@NFTherder) January 24, 2022
Some ppl avoid paying that gas by sending their NFT
back & forth between 2 wallets removing the listing
off OS's site ... pic.twitter.com/nDWHXeRE95
5) This is an issue for ANY situation where you list your NFT for sale but then transfer it back & forth between wallets WHILE that sale is still active— OKHotshot.eth (@NFTherder) January 24, 2022
Because once the NFT is send back in the original wallet the original listing is active again pic.twitter.com/izlCImCWcu
6) You can prevent this issue by correctly delisting your #NFTs before transferring to other wallets— OKHotshot.eth (@NFTherder) January 24, 2022
If you're trying to avoid paying gas for delisting you cannot securely send it back to the original wallet in the future
7) Speculation: most likely the scammer used the @opensea API to pull the old listings onto his own site where my guess would be using their own front-end or dApp to actually buy them— OKHotshot.eth (@NFTherder) January 24, 2022
8) ... the scammer definitely knew what they were doing, they used a mixer to anonymize the original funding, had a list of NFTs vulnerable for this to buy, and executed the attack within 90 minutes ...— OKHotshot.eth (@NFTherder) January 24, 2022
9) This is not necessary a hack or an exploit. A better description would be a loophole abused by a bad actor— OKHotshot.eth (@NFTherder) January 24, 2022
Note that this is not limited to OS, it could happen on any marketplace
To prevent this from happening use the following tips:— OKHotshot.eth (@NFTherder) January 24, 2022
- Do not transfer NFTs that have active listings
- Pay gas to correctly delist
- Use https://t.co/a7eWHJi1O1 or https://t.co/Tm7MF9ej3Y to revoke
This is an ongoing loophole. Please share the info!
And Novum Insights has produced an explanation describing how the bug works.
Here's how the bug works:
When users delist an NFT for sale, they are supposed to pay a ‘gas-fee’ to return the token to the owner's wallet. Recently, users discovered that by transferring their NFT to another ETH address, the NFT would seemingly be delisted without paying gas. However, this only removes the NFT listing from the platform’s front-end (the user-interface of the marketplace).
Opportunists were quick to discover that if the NFT in question was ever sent back to the original ETH wallet, it would still be purchasable on Rarible as the delisting gas-fee was never paid on OpenSea. More importantly, the bug causes OpenSea’s contract to scrape the NFT’s original listing price as the current listing price - this is what caused the BAYC NFT mentioned above to be purchased for less than $2,000.
On Saturday (22 January), OpenSea added a new feature that asks users to confirm whether they are sure they want to proceed when a listing is made far below the floor price of a collection. While this does not directly address the bug, it does lower the likelihood of NFTs being sold by mistake.
Unfortunately, even this didn't fix the problem. The world is still waiting to hear from OpenSea about the issue.