Millions of dollars of NFTs sold for fraction of market price due to OpenSea loophole

The bug was first discovered at the end of last year and had already been exploited at least eight times

Adam Smith
Wednesday 26 January 2022 03:10 EST
Comments
(Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A loophole on OpenSea allowed malicious individuals to buy more than $1 million worth of NFTs.

Buyers were able to purchase popular NFTs at older, lower prices. One person’s Bored Ape Yacht Club NFT, priced at 128 ether, was sold for 87 ether – a difference of $90,000 in profit.

NFTs (non-fungible tokens) are digital receipts of images stored on the blockchain. Buyers do not own the copyright of the original image, only the code behind the replica or ‘token’.

"Listings made a long time ago are resurfacing when items transfer back into listers’ wallets," OpenSea, the largest marketplace for NFTs, said in a tweet on Monday.

“We can’t cancel these orders for listers, so to fix the problem, we launched a new listings manager today.”

The bug has been exploitable since 1 January, and in the 12 hours before 24 January had been used at least eight times to “steal” NFTs with a market value of over $1 million according to blockchain analytics company Elliptic.

The bug is caused by a mismatch between the information in NFT smart contracts and the information in OpenSea’s user interface. The old contracts still exist on the blockchain but are no longer present in the view shown by OpenSea.

Coindesk reports that the bug was discovered as early as 31 December 2021.

Earlier this month, OpenSea had to freeze NFTs stolen by hackers who attempted to sell them on the platform. However, this goes against the decentralised philosophy of crypto advocates, who argue that blockchain technologies do not require external oversight.

Critics say centralised platforms, such as OpenSea, have historically had significant vulnerabilities. Check Point Research had previously found a security vulnerability in the platform to let hackers hijack user accounts and steal entire wallets.

“Since this issue was identified, we’ve taken it incredibly seriously and worked to ship product solutions for the community. This is not an exploit or a bug – it’s an issue that arises because of the nature of the blockchain. OpenSea cannot cancel listings on behalf of users. Instead, users must cancel their own listings”, an OpenSea spokesperson said in a statement.

“It’s OpenSea’s priority to make users aware of all their listings, and we’re working on a number of product improvements to address this, including a dashboard where they can easily see and cancel listings. In addition, we have been actively reaching out to and reimbursing affected users. We have not communicated broadly about this issue because we did not want to risk bringing it to the attention of bad actors who could abuse it at scale before we had mitigations in place.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in