OpenSea Bug Allows Hackers To Steal More Than $1 Million In NFTs
Premier NFT marketplace OpenSea may have successfully leveraged the NFT boom for a monster $13 billion valuation, but it’s system is still riddled with security flaws, one of which was just successfully exploited by hackers, resulting in the theft of $1M in digital assets.
Elliptic reports that a bug on OpenSea’s marketplace has played a role in at least three attacks. Hackers managed to use the bug to purchase at least 8 NFTs for much less than what was considered their “fair market value”. All three incidents had occurred within a day of the report.
One of the attackers paid just $133K for seven NFTs by exploiting the bug – only to turn around and sell them immediately for $934K.
In another example, an NFT belonging to the Bored Ape Yacht Club series was bought for just 0.77 ETH (just $1,800 as of Monday morning). Many other members of the family have sold for around $200K.
The sale of that BAYC member caught the attention of other niche sources of crypto-related news and gossip.
⚠️⚠️⚠️ WARNING ⚠️⚠️⚠️
MAJOR OPEN SEA BUG ALLOWING HACKERS TO STEAL YOUR #NFTS 🚨
-Please check your listings were taken down appropriately or you can be scammed instantly but the hackers.
Check my RT and also listen up 👇 pic.twitter.com/qBtIgmw6cL
— Sir Bitlord (@crypto_bitlord7) January 24, 2022
🚨BREAKING: A bug on @opensea is causing Apes to be listed and sold at previous listing prices pic.twitter.com/0zxFkXLfKx
— m0rgan.ethᵍᵐ 💎🙆🏼♀️ (@Helloimmorgan) January 24, 2022
As of 1000ET on Monday, the attacks appear to be ongoing.
An #OpenSea bug has caused a #BAYC #NFT to sell for less than 1% of its true value ($2,000) on #Rarible!
Find out more about how a ‘life-hack’ to avoid paying gas-fees is putting millions of dollars at risk. #NFTs #LooksRare $ETH
— Novum Insights (@NovumInsights) January 24, 2022
This means OpenSea users might want to think twice before listing one of their precious blockchain gifs for sale, lest it be snatched up by a hacker for far less than you paid for it.
One Twitter user created a step by step breakdown of how the hacks unfolded:
🚨 Finished on-chain analysis of how a scammer stole Bored Ape #NFTs on @opensea and made $880k usd in 90 minutes: Below are the facts & my conclusion
🚨 RT to spread awareness
Read on …
— OKHotshot.eth (@NFTherder) January 24, 2022
Before we start – know that this thread has limited space so I’m only covering main issues. It’s intended for education purposes only and all information shared is publicly available …
— OKHotshot.eth (@NFTherder) January 24, 2022
1) Today a scammer was able to buy multiple high valued #NFTs because he found the previous listings of those nfts through a loophole
How was it done and how can you prevent this from happening to your nfts? 👇👇
— OKHotshot.eth (@NFTherder) January 24, 2022
2) A scammer known as ‘jpegdegenlove’ used a money mixer to send 10Ξ to a newly created wallet before executing this attack
He then bought a CoolCat for 3E & Bored Ape for 0.77E, with current floors of 12Ξ and 86Ξ❗️
What happened next? pic.twitter.com/LiddepondM
— OKHotshot.eth (@NFTherder) January 24, 2022
3) Within 20mins the scammer sold the CoolCat for 11Ξ, and used the profits to buy another #BAYC for 6.66Ξ
Then repeats the pattern of buying and selling various
high valued #NFTs for about 90 minutes pic.twitter.com/pEFZNuJCsg— OKHotshot.eth (@NFTherder) January 24, 2022
4) So how is this possible? Because of improper delisting. Example: If you list your NFT for 3Ξ but then cancel that listing you have to pay gas
Some ppl avoid paying that gas by sending their NFT
back & forth between 2 wallets removing the listing
off OS’s site … pic.twitter.com/nDWHXeRE95— OKHotshot.eth (@NFTherder) January 24, 2022
5) This is an issue for ANY situation where you list your NFT for sale but then transfer it back & forth between wallets WHILE that sale is still active
Because once the NFT is send back in the original wallet the original listing is active again pic.twitter.com/izlCImCWcu
— OKHotshot.eth (@NFTherder) January 24, 2022
6) You can prevent this issue by correctly delisting your #NFTs before transferring to other wallets
If you’re trying to avoid paying gas for delisting you cannot securely send it back to the original wallet in the future
— OKHotshot.eth (@NFTherder) January 24, 2022
7) Speculation: most likely the scammer used the @opensea API to pull the old listings onto his own site where my guess would be using their own front-end or dApp to actually buy them
However …
— OKHotshot.eth (@NFTherder) January 24, 2022
8) … the scammer definitely knew what they were doing, they used a mixer to anonymize the original funding, had a list of NFTs vulnerable for this to buy, and executed the attack within 90 minutes …
— OKHotshot.eth (@NFTherder) January 24, 2022
9) This is not necessary a hack or an exploit. A better description would be a loophole abused by a bad actor
Note that this is not limited to OS, it could happen on any marketplace
— OKHotshot.eth (@NFTherder) January 24, 2022
To prevent this from happening use the following tips:
– Do not transfer NFTs that have active listings
– Pay gas to correctly delist
– Use https://t.co/a7eWHJi1O1 or https://t.co/Tm7MF9ej3Y to revokeThis is an ongoing loophole. Please share the info!
— OKHotshot.eth (@NFTherder) January 24, 2022
And Novum Insights has produced an explanation describing how the bug works.
Here’s how the bug works:
When users delist an NFT for sale, they are supposed to pay a ‘gas-fee’ to return the token to the owner’s wallet. Recently, users discovered that by transferring their NFT to another ETH address, the NFT would seemingly be delisted without paying gas. However, this only removes the NFT listing from the platform’s front-end (the user-interface of the marketplace).
Opportunists were quick to discover that if the NFT in question was ever sent back to the original ETH wallet, it would still be purchasable on Rarible as the delisting gas-fee was never paid on OpenSea. More importantly, the bug causes OpenSea’s contract to scrape the NFT’s original listing price as the current listing price – this is what caused the BAYC NFT mentioned above to be purchased for less than $2,000.
On Saturday (22 January), OpenSea added a new feature that asks users to confirm whether they are sure they want to proceed when a listing is made far below the floor price of a collection. While this does not directly address the bug, it does lower the likelihood of NFTs being sold by mistake.
Unfortunately, even this didn’t fix the problem. The world is still waiting to hear from OpenSea about the issue.
Tyler Durden
Mon, 01/24/2022 – 22:50
Zero Hedge’s mission is to widen the scope of financial, economic and political information available to the professional investing public, to skeptically examine and, where necessary, attack the flaccid institution that financial journalism has become, to liberate oppressed knowledge, to provide analysis uninhibited by political constraint and to facilitate information’s unending quest for freedom. Visit https://www.zerohedge.com