Open market online for Non-Fungible Tokens (NFT), OpenSea, is getting in touch with and compensating users exposed by the loophole letting individuals obtain NFTs for less than the market’s value, then resell it for thousands.
First reported by Vice Tech’s Motherboard on Monday after blockchain security firm Elliptic expressed concerns around the issue. Various Twitter users went to the microblogging platform to express their discontent with incidents.
The security company said in its statement that it “identified at least three attackers who have purchased at least eight NFTs for much less than their market value within the past 12 hours.”
The incident was strictly directed towards Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats, and Cyberkongz NFT’s.
“One attacker, going by the pseudonym ‘jpegdegenlove’ today paid a total of $133,000 for seven NFTs – before quickly selling them on for $934,000 in ether. Five hours later, this ether was sent through Tornado Cash, a ‘mixing’ service that is used to prevent blockchain tracing of funds,” Elliptic stated.
“Jpegdegenlove also seems to have partially compensated two of their victims – sending 20 ETH (stands at $48,633.6 as of time of writing) to TBALLER and 13 ETH ($31,561.4 as of time of writing) to Vault327. Another attacker purchased a single Mutant Ape Yacht Club NFT for $10,600, before selling it five hours later for $34,800,” it added.
Here, the main issue is mainly derived from OpenSea’s way of managing its items listing. Transferring NFTs – or doing any type of activity on the Ethereum blockchain for that matter – demands “gas” costs, and for that reason alone, the global NFT marketplace prefers to conduct its process “off the chain” – internally – before finally sending it to the blockchain before to the public transaction ledger for final settlement.
On Twitter, Rotem Yakir, a DeFi developer, issued a detailed report elaborating the faultiness of OpenSea’s bug, stating that it “stems from the fact that previously you could re-list an NFT without canceling it (which you can’t now) and all the previous listing are not canceled on-chain.”
“Previously, you could have re-list an NFT without canceling the previous list. Sometimes but not always. If you cancel your new listing, the old one will not appear on the UI but is still valid,” he added.
This means that for users to be able to cancel their listing, any transaction made on the ledger must first be sent and finalized; otherwise, the previously listed data could be used in a sale. In this case, the original listing price is not canceled, given that once the token is transferred to another wallet controlled by the user and fails to send a cancellation message to the blockchain.
OpenSea thoroughly elaborated on this in its guide to recently registered users.
“Since the issue was identified, we’ve taken it incredibly seriously and worked to ship product solutions for the community. This is not an exploit or a bug – it’s an issue that arises because of the nature of the blockchain. OpenSea cannot cancel listings on behalf of users. Instead, users must cancel their own listing,” an OpenSea spokesperson told ZDNet.
“It’s OpenSea’s priority to make sure users aware of all their listings, and we’re working on a number of product improvements to address this, including a dashboard where they can easily see and cancel listings. In addition, we have been actively reaching out to and reimbursing affected users. We have not communicated broadly about this issue because we did not want to risk bringing it to the attention of bad actors who could abuse it at scale before we had mitigations in place,” he further elaborated.
Clearly, the incident would not have occurred had it not been for OpenSea’s way of using a centralized service with decentralized tokens. And its NFT’s marketplace’s model is deliberately designed in that manner.
While the incident cannot be perceived as a hack or a bug, OpenSea is referring to it as a scam, even though users were mainly exposed to this due to how the platform’s services function.