Blockchain security company Elliptic discovered the bug on December 31, 2021, showing the transferred NFTs were listed on OpenSea. The firm identified at least three people who had made at least $1 million from the NFTs being sold for a small fraction of their true worth.
Leading NFT marketplace OpenSea is contacting and reimbursing users affected by a bug that opportunists exploited and bought NFTs for a fraction of their actual cost before reselling them at a profit. According to Motherboard, blockchain security company Elliptic and several Twitter users, the bug enabled the attackers to buy over $1 million worth of non-fungible tokens from different wallets for significantly below their market price. Chief scientist and Elliptic co-founder Tom Robinson explained:
“The exploit appears to come from the fact that it was previously possible to re-list an NFT at a new price, without canceling the previous listing […] those old listings are now being used to buy NFTs at prices specified in the past – often well below current market prices.”
Used it at least eight times to “steal” NFTs within 12 hours
According to Elliptic, the bug must have been on the marketplace for several weeks and was referenced in at least one tweet on January 1, 2022. Nonetheless, the hackers seem to have upped their game beginning January 24, during which they used it at least eight times to “steal” NFTs within 12 hours.
For example, the hackers bought Bored Ape Yacht Club #9991 using the loophole for 0.77 ETH ($1,760) and quickly resold for 84.2 ETH ($192,400), meaning the attacker made a net profit of over $190,000. An Ethereum address linked to the reseller had received more than 400 ETH ($904,000) in payouts from OpenSea in the same 12-hour period. The NFT’s original owner, identified on Twitter as “TBALLER.eth” (@T_BALLER6), tweeted their shock at the transaction, which they said they did not authorize:
“Yooo guys! Idk what just happened by; why did my ape just sell for .77?????”
“I didn’t list me ape at all…. Now I’m seeing DMs it sold for .77?????? Wtf??????”
Forced into sales at a price they wouldn’t otherwise have accepted
NFT creators sell their wares on OpenSea by setting a “list price” that potential buyer will see. The nature of smart contracts is such that the NFT is automatically transferred to a buyer as soon as they accept the list price. However, should the owner wish to re-list the NFT for a higher price, they are required to cancel the first listing, something that could cost tens or hundreds of dollars in “gas fees.”
Ecliptic’s Robinson said that he had identified eight NFTs stolen in this way so far, from eight different wallets, by three attacker wallets. He stated:
“It’s a subjective thing whether you consider this to be a loophole or a bug, but the fact is that people are being forced into sales at a price they wouldn’t otherwise have accepted right now.”
