A bug in the largest NFT marketplace, OpenSea, allowed attackers to buy at least $1 million worth of NFTs across multiple different wallets for significantly below market price, the blockchain analytics firm said on Monday. Elliptic.
A non-fungible token (NFT) is a form of cryptographic asset, which records the ownership status of digital files on the blockchain. OpenSea is the largest marketplace for speculators and enthusiasts to trade their NFTs, with sales volume of $4.8 billion so far in January.
But a market loophole allowed users to buy certain NFTs at prices they had been listed for in the past, without the owner realizing they were still on sale.
OpenSea did not immediately respond to a request for comment.
“The exploit appears to stem from the fact that it was previously possible to re-list an NFT at a new price, without undoing the previous listing,” said Tom Robinson, chief scientist and co-founder of Elliptic.
“These old listings are now used to buy NFTs at prices specified in the past – often well below current market prices.”
For example, an NFT of a cartoon monkey from the Bored Ape Yacht Club collection, Bored Ape #9991, was purchased for 0.77 of the cryptocurrency ether (~$1,747) on Monday, despite the fact that these NFTs usually fetch hundreds of thousands of dollars. .
Bored Ape Yacht Club is a set of 10,000 algorithmically generated cartoon ape NFTs by American company Yuga Labs.
About 20 minutes after Bored Ape #9991 was bought for 0.77 ether, it was sold for 84.2 ether (about $189,040), according to blockchain records seen on OpenSea, giving the buyer a profit of more than $187,000.
The original owner of the NFT, identified on Twitter as “TBALLER.eth” (@T_BALLER6), tweeted shock at the transaction, saying it was unauthorized:
“Yoo guys! I don’t know what just happened, why did my monkey just sell for 0.77??????
“I didn’t list myself as a monkey at all…. Now I see DMs sold for 0.77 ?????? wtf ??????”
Elliptic’s Robinson said he has so far identified eight NFTs stolen in this way, from eight different wallets, by three attacking wallets.
One person paid a total of $133,000 for seven NFTs exploiting the bug, before quickly reselling them for $934,000, Robinson said.
He noted that even though crypto wallets are generally anonymous, it is possible that attackers could be identified if they use an exchange to withdraw cash in fiat currency.
As celebrities, investors, and big brands flock to the NFT marketplace — where sales volumes and prices of some sought-after NFTs have seen breathtaking growth — the OpenSea bug may give some shoppers reason to pause.
OpenSea was founded in 2017 and was recently valued at $13.3 billion in its latest round of venture capital funding.
Elliptical data shows that since 2020, $2 billion has been stolen from decentralized finance (DeFi) users through hacks.
“It’s not common to see market-wide exploits. We see individual users getting hacked and having their NFTs stolen, for example through phishing attacks, but it’s not common to see something that potentially affects the overall market,” Robinson added.