OpenSea Bug Allows Attackers to Get Massive Discount on Popular NFTs

The bug was spotted as early as December 2021.

Jan 24, 2022 at 1:31 p.m. UTC
Updated Jan 24, 2022 at 5:56 p.m. UTC

Eliza Gkritsi is CoinDesk's crypto mining reporter based in Asia.

A bug on the non-fungible tokens (NFT) marketplace OpenSea has allowed at least three attackers to secure massive discounts on several NFTs and make a huge profit.

  • The bug, which was discovered as early as Dec. 31, 2021, allowed the attackers to buy NFTs at older, lower prices, and sell them for a hefty profit. Blockchain analytics firm Elliptic wrote in a blog post that one attacker called jpegdegenlove "paid a total of $133,000 for seven NFTs – before quickly selling them on for $934,000 in ether. Five hours later, this ether was sent through Tornado Cash, a 'mixing' service that is used to prevent blockchain tracing of funds."
  • NFTs are digital assets on a blockchain that represent ownership of virtual or physical items. OpenSea is one of the largest marketplaces for NFTs.
  • Elliptic estimates the market value of the affected NFTs to be over $1 million.
  • Jpegdegenlove partially reimbursed two of the victims, sending them back a total of $75,000 on Monday, Elliptic said.
  • Some users have been transferring their listed assets to other wallets to take them off the market place whilst avoiding the delisting fee, founder of NFT project freshdrops_io tweeted back in December.
  • But even though the item may appear to be off the OpenSea front end, it is still accessible on OpenSea APIs and Rarible, another NFT marketplace.
  • CoinDesk could not reach OpenSea for comment on this story.
  • One NFT from the popular Bored Ape Yacht Club (BAYC) collection was listed under its July 2021 price of 23 ether, and the attacker was able to sell it for 135 ether, making a quick profit of more than 100 ether, tweeted Tal Be'ery, Chief Technology Officer of ZenGo crypto wallet.
  • Asked about the bug, an OpenSea Discord admin confirmed to CoinDesk that "if you had an open listing that you never cancelled, or didn't hit its expiration, it still exists."
  • "The thief had a bot to scan the blockchain for pending transactions that had low floor pending and bought them," Joe Vargas, an influencer who also runs his own NFT project, told CoinDesk.
  • Bored Ape Yacht Club, Mutant Ape Yacht Club, CyberKongz and Cool Cats NFTs have been affected.
  • One collector, who saw their BAYC sell for 0.77 ether, went on Twitter to express his shock when he realized his NFT had disappeared.

UPDATE (Jan. 24 17:56 UTC): Adds details from Elliptic's analysis.



The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Eliza Gkritsi is CoinDesk's crypto mining reporter based in Asia.

CoinDesk - Unknown

Eliza Gkritsi is CoinDesk's crypto mining reporter based in Asia.

Trending

1
CoinDesk - Unknown
After the Terra Meltdown: What's Next for Stablecoins?

The largest token collapse in crypto history. So let Luna die.

The largest token collapse in crypto history. So let Luna die.

CoinDesk - Unknown
2
CoinDesk - Unknown
5 Key Takeaways From a16z's State of Crypto Report

The venture firm is extremely bullish on Web 3.

The venture firm is extremely bullish on Web 3.

CoinDesk - Unknown
3
CoinDesk - Unknown
Regulators Are Paying Attention to UST

The collapse of terraUSD (UST) is algorithmic stablecoins’ Libra moment.

The collapse of terraUSD (UST) is algorithmic stablecoins’ Libra moment.

CoinDesk - Unknown
4
CoinDesk - Unknown
San Francisco NFL Player Alex Barrett Taking His Salary in Bitcoin

The most valuable crypto stories for Thursday, May 20, 2022.

The most valuable crypto stories for Thursday, May 20, 2022.

CoinDesk - Unknown