OpenSea Bug Allows Attackers to Get Massive Discount on Popular NFTs

The bug was spotted as early as December 2021.

AccessTimeIconJan 24, 2022 at 1:31 p.m. UTC
Updated May 11, 2023 at 5:05 p.m. UTC

A bug on the non-fungible tokens (NFT) marketplace OpenSea has allowed at least three attackers to secure massive discounts on several NFTs and make a huge profit.

  • The bug, which was discovered as early as Dec. 31, 2021, allowed the attackers to buy NFTs at older, lower prices, and sell them for a hefty profit. Blockchain analytics firm Elliptic wrote in a blog post that one attacker called jpegdegenlove "paid a total of $133,000 for seven NFTs – before quickly selling them on for $934,000 in ether. Five hours later, this ether was sent through Tornado Cash, a 'mixing' service that is used to prevent blockchain tracing of funds."
  • NFTs are digital assets on a blockchain that represent ownership of virtual or physical items. OpenSea is one of the largest marketplaces for NFTs.
  • Elliptic estimates the market value of the affected NFTs to be over $1 million.
  • Jpegdegenlove partially reimbursed two of the victims, sending them back a total of $75,000 on Monday, Elliptic said.
  • Some users have been transferring their listed assets to other wallets to take them off the market place whilst avoiding the delisting fee, founder of NFT project freshdrops_io tweeted back in December.
  • But even though the item may appear to be off the OpenSea front end, it is still accessible on OpenSea APIs and Rarible, another NFT marketplace.
  • CoinDesk could not reach OpenSea for comment on this story.
  • One NFT from the popular Bored Ape Yacht Club (BAYC) collection was listed under its July 2021 price of 23 ether, and the attacker was able to sell it for 135 ether, making a quick profit of more than 100 ether, tweeted Tal Be'ery, Chief Technology Officer of ZenGo crypto wallet.
  • Asked about the bug, an OpenSea Discord admin confirmed to CoinDesk that "if you had an open listing that you never cancelled, or didn't hit its expiration, it still exists."
  • "The thief had a bot to scan the blockchain for pending transactions that had low floor pending and bought them," Joe Vargas, an influencer who also runs his own NFT project, told CoinDesk.
  • Bored Ape Yacht Club, Mutant Ape Yacht Club, CyberKongz and Cool Cats NFTs have been affected.
  • One collector, who saw their BAYC sell for 0.77 ether, went on Twitter to express his shock when he realized his NFT had disappeared.

UPDATE (Jan. 24 17:56 UTC): Adds details from Elliptic's analysis.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Eliza Gkritsi

Eliza Gkritsi is a CoinDesk contributor focused on the intersection of crypto and AI.