Blockchain security firm Elliptic and Several Twitter users warned yesterday about a bug in OpenSea (one of the most famous platforms for selling Non-Fungible Tokens) that was allowing people to buy NFTs below their real price and then resell them much more expensive. And the NFT sales platform has already announced that it is contacting the affected users and refunding the money.
A user wrote on Twitter that his NFT (specifically, the one in the link) was bought worth about $1,800 worth of Ethereum cryptocurrency before being resold for $196,000.
The problem has affected the NFTs of the well-known Bored Ape Yacht Club (the well-known monkeys that make up some of the most expensive crypto art assets), Mutant Ape Yacht Club, Cool Cats, and Cyberkongz. It should be remembered that OpenSea was also the subject of controversy recently due to how easy it is to plagiarize works of art and sell them on this website as NFTs.
DO NOT BE FOOLED! The main SCAMS in ONLINE PURCHASES and HOW TO AVOID THEM
How were these sales?
According to what Elliptic discovered, “an attacker, going by the pseudonym ‘jpegdegenlove’ paid $133,000 for seven NFTs, before quickly selling them for $934,000 (in ether). Five hours later, this ether was sent via Tornado Casha service used to prevent funds from being traced on the blockchain.
Another attacker bought a single NFT from Mutant Ape Yacht Club for $10,600before selling it five hours later for $34,800.
This has been possible, according to what has been verified so far, by an exploit within the OpenSea platform that allows you to buy NFTs for past prices“which are often well below current market prices,” as NFTs can appreciate over time, according to security experts who analyzed what was happening.
DeFi developer Rotem Yakir posted a thread on Twitter explaining the OpenSea bug, writing that it “stems from the fact that previously you could re-list an NFT without canceling it (which you now can’t) and all previous listings didn’t.” are cancelled”. In that case, although it does not appear in the user interface, those prices from the past remain valid.
Following my previous tweet (https://t.co/NInuTuIkgq), here is a 🧵about the @opensea bug. one/
– Rotem Yakir 🍊 🌐 (@yakirrotem) January 24, 2022
This can be achieved using services like https://orders.rarible.com or even the OS API to be able to access old NFT prices within OpenSea and buy these assets at those prices. Yakir says that you can check at https://orders.rarible.com if you have NFTs listed with old prices. Something else that can be done is to transfer the NFTs to a different wallet.
Solutions by OpenSea
An OpenSea spokesperson told ZDNet that it has been trying to create fixes for the problem ever since it was identified. Anyway, they denied that it was a bug or a vulnerability. “This is not an exploit or a bug, but it is a problem that arises due to the nature of the blockchain” and says that each of the users has to cancel their own NFT listings when they transfer the listed NFTs to a different wallet.
According to OpenSea, the problem can arise whenever a user move an NFT to a different wallet without canceling active listings because the transaction is posted on the blockchain. The company added that it is changing the default duration of its listings from 6 months to 1 month, so that if an NFT is transferred back to a wallet after 1 month, the listing will have expired.
The platform has among its plans to start notifying users that have a higher priced listing still active when they lower the price of the same item. OpenSea has said that it is adding a dashboard to user profiles that displays all inactive listings and gives users the opportunity to cancel each listing with a single click.