QI Quadriga Initiative

Jan 2022 - OpenSea Bored Ape Old Contract Hack - $245k (Global)

"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."

"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."

"Fascinated by the [CryptoKitties] movement that was forming, Devin Finzer and Alex Atallah joined early adopter communities in Discord and started talking to users. With the OpenSea beta launch in December 2017, the first open marketplace for any non-fungible token on the Ethereum blockchain was born."

"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain."

"There are [some] straightforward security issues [on OpenSea], which have become newly urgent given the huge quantities of money on their platform."

"A [UI] bug in OpenSea has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners — and hundreds of thousands of dollars in profits for the apparent thieves." "An interface bug that had been dormant for months let attackers trade on old contracts, causing hundreds of thousands of dollars in unintended sales."

"The exploit appears to rely on the fact that NFT owners are unaware that old marketplace listings for their NFTs are still active. Those old listings are now being used to purchase NFTs at prices chosen by the seller in the past - which is often well below current market prices."

"The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to “steal” NFTs with a market value of over $1 million."

"The bug was discovered as early as December 31st, 2021, according to CoinDesk."

"According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application."

"OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API."

"The way OS works, is by having their marketplace conduct off-chain to save gas. When you list an item for sale (or bid) you are signing data that validate that you are willing to sell your NFT at this price." "The signature is saved in @opensea's DB off-chain and when someone wants to buy your NFT, they will send to their smart contract your previously signed data where the signature and sale information (such as expiration & price) are validated on-chain before making the transfer."

"When you cancel a listing, you are require to preform a transaction, why you might ask? the reason is that someone might save your signed listing (which are public or even their API) and use it later, even if the listing got removed from the UI." "So the transaction on-chain will save the fact that you canceled this sale on their smart contract and even if someone will try to use your signed data from before, the on-chain validation will reject the sale."

"So what is this bug and how to avoid it? the bug stems from the fact that previously you could re-list an NFT without canceling it (which you can't now) and all the previous listing are not canceled on-chain, this is why re-listing will NOT work." "Furthermore, transferring a previously listed NFT to back to the wallet that listed it, will not prevent you from this bug. Re-list will not help you too (unless you made sure you cancelled all previous listing)."

"And as we shown before sites save old listing and now exploiters can use this information to perform the sale since @opensea smart contract will believe this sale is valid! (which is kinda is)." "Another big problem that @opensea has, is that they don't have order nonce, so even if you made a listing 6 months ago then made another one 4 months ago & canceled it after 1 day, the first list is still valid and may not be visible on the UI."

"@LooksRareNFT for example, has the ability to cancel all orders using a nonce so even if you somehow forgotten to cancel a listing, this can make sure you are safer." "To sum up, previously, you could have re-list an NFT without canceling the previous list. Sometimes but not always, If you cancel your new listing, the old one will not appear on the UI but is still valid." "The two options are to cancel the listing directly or to send it to another wallet without transferring it back until the original listing expires." "Generally, I'd say simplest is to just cancel."

"The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022."

"@ACYCapital purchased my @BoredApeYC using the @opensea hack that allows a prior listed ape to be sold even once it’s been taken out of a wallet. I’m pleading for this ape to be returned. I’ll pay whatever fees were incurred."

"I really hope that @ACYCapital sends the ape back here, but we should be clear that this isn't a hack - it's the reality of listings on the blockchain. OpenSea makes it seem like listings are cancelled when you send an asset away, but they really aren't. No hacking involved."

"Why does $ACYC trade NFTs? Because our master traders generate significant capital to fuel our #DeFi yield farming further." "Atlas flipped these @BoredApeYC in 2 days for 28eth profit. ACYC is up ~41eth in just the last week trading #NFTs."

"It’s unclear whether OpenSea is treating the situation as an open security flaw or a result of user error. The company did not respond to a request for comment by time of publication."

Further Analysis

OpenSea is one of the largest NFT marketplaces online. If an order is placed on the blockchain, it's available for future use unless cancelled or the NFT is no longer in the wallet which the offer applies to. If an NFT is moved from one wallet to another and back again, then OpenSea will fail to display the open order, which can still be executed. On January 1st, a user had their BoredApe NFT at a loss of 65 ETH. It is unclear whether the NFT was ever recovered. The firm which apparently acquired it made a post about large profits on NFTs the same day.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

LiteVault Web Wallet Closes > > < < Ledger/MetaMask Hack PowerOfTheGods

Sources/Further Reading

An OpenSea bug let attackers snatch Apes from owners at six-figure discounts - The Verge (Mar 15)
@carsonturner Twitter (Mar 16)
@cap10bad Twitter (Mar 16)
@boredapebot Twitter (Mar 16)
How OpenSea took over the NFT trade - The Verge (Mar 10)
Dune Analytics (Mar 10)
https://opensea.io/ (Mar 9)
Meet OpenSea | The NFT marketplace with everything for everyone - YouTube (Mar 9)
https://docs.opensea.io/docs (Mar 9)
https://docs.opensea.io/docs/frequently-asked-questions (Mar 9)
https://opensea.io/about (Mar 9)
@yakirrotem Twitter (Mar 21)
@yakirrotem Twitter (Mar 21)
@ACYCapital Twitter (Mar 22)
https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 21)
@NatFactsEth Twitter (Mar 23)
@GinoTheGhost Twitter (Mar 21)


Join Us!

Name: Email:

t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com

Sign-Ups: 92%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.