$1 100 000 USD





"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."


"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."


"Fascinated by the [CryptoKitties] movement that was forming, Devin Finzer and Alex Atallah joined early adopter communities in Discord and started talking to users. With the OpenSea beta launch in December 2017, the first open marketplace for any non-fungible token on the Ethereum blockchain was born."


"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain."


"There are [some] straightforward security issues [on OpenSea], which have become newly urgent given the huge quantities of money on their platform."


"A [UI] bug in OpenSea has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners — and hundreds of thousands of dollars in profits for the apparent thieves." "An interface bug that had been dormant for months let attackers trade on old contracts, causing hundreds of thousands of dollars in unintended sales."


"The exploit appears to rely on the fact that NFT owners are unaware that old marketplace listings for their NFTs are still active. Those old listings are now being used to purchase NFTs at prices chosen by the seller in the past - which is often well below current market prices."


"The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to “steal” NFTs with a market value of over $1 million."


"According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application."


"OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API."


"** Urgent ** There is an @opensea devastating bug that will keep old listing and allow exploiters to buy the NFT using their API. Immediate action is to move your NFT to a new wallet or wallet without any previous listing. I will add a [case] about it very soon."


"The way OS works, is by having their marketplace conduct off-chain to save gas. When you list an item for sale (or bid) you are signing data that validate that you are willing to sell your NFT at this price." "The signature is saved in @opensea's DB off-chain and when someone wants to buy your NFT, they will send to their smart contract your previously signed data where the signature and sale information (such as expiration & price) are validated on-chain before making the transfer."


"When you cancel a listing, you are require to preform a transaction, why you might ask? the reason is that someone might save your signed listing (which are public or even their API) and use it later, even if the listing got removed from the UI." "So the transaction on-chain will save the fact that you canceled this sale on their smart contract and even if someone will try to use your signed data from before, the on-chain validation will reject the sale."


"So what is this bug and how to avoid it? the bug stems from the fact that previously you could re-list an NFT without canceling it (which you can't now) and all the previous listing are not canceled on-chain, this is why re-listing will NOT work." "Furthermore, transferring a previously listed NFT to back to the wallet that listed it, will not prevent you from this bug. Re-list will not help you too (unless you made sure you cancelled all previous listing)."


"And as we shown before sites save old listing and now exploiters can use this information to perform the sale since @opensea smart contract will believe this sale is valid! (which is kinda is)." "Another big problem that @opensea has, is that they don't have order nonce, so even if you made a listing 6 months ago then made another one 4 months ago & canceled it after 1 day, the first list is still valid and may not be visible on the UI."


"@LooksRareNFT for example, has the ability to cancel all orders using a nonce so even if you somehow forgotten to cancel a listing, this can make sure you are safer." "To sum up, previously, you could have re-list an NFT without canceling the previous list. Sometimes but not always, If you cancel your new listing, the old one will not appear on the UI but is still valid." "The two options are to cancel the listing directly or to send it to another wallet without transferring it back until the original listing expires." "Generally, I'd say simplest is to just cancel."


"NFTs with a market value of $1.1 million have been purchased in this way." "Elliptic has identified at least five attackers who have exploited this loophole to purchase at least twelve NFTs for much less than their market value. These include Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz NFTs."


"For example at around 7am on January 24, a Bored Ape Yacht Club NFT #9991 was purchased for 0.77 ETH ($1,800). This family of NFTs currently sell for at least $198,000. Twenty minutes later the hacker sold the NFT for 84.2 ETH ($196,000) – realizing a profit of $194,000."


"One attacker, going by the pseudonym "jpegdegenlove" paid a total of $133,000 for seven NFTs – before quickly selling them on for $934,000 in ether. Five hours later this ether was sent through Tornado Cash, a "mixing" service that is used to prevent blockchain tracing of funds."


"Jpegdegenlove also seems to have partially compensated two of their victims - sending 20 ETH ($45,000) to TBALLER and 13 ETH ($30,000) to Vault327."


"Another attacker purchased a single Mutant Ape Yacht Club NFT for $10,600, before selling it on five hours later for $34,800."


"It’s unclear whether OpenSea is treating the situation as an open security flaw or a result of user error. The company did not respond to a request for comment by time of publication."

OpenSea is one of the largest NFT marketplaces online. If an order is placed on the blockchain, it's available for future use unless cancelled or the NFT is no longer in the wallet which the offer applies to. If an NFT is moved from one wallet to another and back again, then OpenSea will fail to display the open order, which can still be executed. Multiple users exploited up to $1.1m worth of NFTs this way, through offers that the NFT owners erroneously thought had been cancelled.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.