OpenSea bug undervalues NFTs, attacker walks away with nearly $900k profits

Key Takeaways:

• A bug in OpenSea UI’s front end allowed an attacker to buy NFTs at old listing prices.

NEW DELHI (CoinChapter.com) — A bug in the NFT marketplace OpenSea allowed presented a loophole that a user exploited to walk away with $850,000 in 90 minutes.

Interestingly, the bug is not new. The platform discovered the bug on Dec 31 but failed to resolve the issue. As a result, an OpenSea user named jpegdegenlove appears to be the alleged perpetrator of the attack, stealing approximately 370 Ether (ETH), worth nearly $850,000 at the time of writing.

Blockchain security firm highlighted exploit in a tweet.

It appears that @opensea has a front-end issue and the exploiter gained about 332 Etherhttps://t.co/35kCB1n7nv

— PeckShieldAlert (@PeckShieldAlert) January 24, 2022

The attacker targeted Bored Ape Yacht Club (BAYC), Mutant Ape Yacht Club(MAYC), CyberKongz, and Cool Cats NFTs.

How It Happened

OpenSea user ‘jpegdegenlove’ first used Tornado Cash to send 10 ETH to a newly created wallet. Tornado Cash is an ETH mixer protocol that improves transaction privacy by obscuring the on-chain link between source and recipient. Afterward, the user bought a CoolcatNFT for 3 ETH and BAYC NFT for 0.77 ETH.

Also Read: Why did OpenSea, an NFT unicorn, go down abruptly earlier this week?

Within half hour, the CoolCat for 11ETH and used the profits to buy a BAYC for 6.6ETH. The scammer repeatedly bought NFTs at their old listing price and sold them at the current market price to rake in profits.

A Twitter user explained how improper delisting led to the exploit. For example, if a user lists an NFT for sale and later decides to cancel the listing, the platform charges a significant fee, and the flow price of the collectible also decreases.

However, users often avoid paying the gas by transferring their NFTs back and forth between wallets while removing the listing from OpenSea. The loophole arises when users forget to transfer their NFTs while the sale is still active. So while the item may not show in OpenSea’s listing, it is still active in the platform’s API.

NFT Owners Left Puzzled

Users who lost their NFTs to the exploit took to Twitter to vent their angst.

A BAYC owner, TBALLER.eth, posted a tweet asking the Twitter NFT community why his BAYC NFT sold for just 0.77 ETH. In addition, the user also requested Twitterati to help him recover his lost NFT.

It appears the exploiter sent me 20 ETH from the sale? Doesn’t cover the cost of the priceless ape but it’s a start I guess🥺 https://t.co/ByDqNA5sF9

— TBALLER.eth (@T_BALLER6) January 24, 2022

Later in the day, around 18:30 UTC, TBALLER.eth shared a tweet stating that the exploiter had sent him 20 ETH from the sale. Another BAYC owner, VirtualToast.eth, blasted OpenSea over the sale of its NFT (BAYC #8924) for 6.66 ETH. Over a series of tweets, he explained that the NFT’s original listing remained on the Vault account on which it sold.

Also Read: Selfie NFT collection by Indonesian student fetches over $1M on OpenSea.

The user went on to call out OpenSea’s failure to address an issue that users had already highlighted earlier. Similar to TBALLER.eth, VirualToast.eth also shared that the attacker had sent him 13.05 ETH from the sale of the exploited NFT.

Shoutout to the dude that found his way into the @opensea api and took my @BoredApeYC then after pocketing $200k, sent me some of the funds back to ease his conscious. Love the insult to injury. Gross. pic.twitter.com/n0AQ6ePyOV

— VirtualToast.eth (@ToastVirtual) January 24, 2022

Understandably, the user was not impressed. At the time of writing, OpenSea had not made any statement on the issue.