Last week, the world’s largest NFT marketplace, Opensea, was rocked by a bug that let hackers buy valuable blue-chip NFTs on the cheap- even though they were not technically for sale! Understandably, the demand for a response and resolution was overwhelming. This is what happened and how Opensea plans to protect users in the future.
What exactly went wrong? Basically, a few lucky hackers found a bug in the Opensea system that they were able to exploit and gain access to dormant listings and buy NFTs right out from under the unsuspecting owner’s noses. What’s worse is that they sold for nowhere near what they were worth.
To explain further, it was possible to relist an NFT without canceling the previous one. That means that a valuable NFT may still be listed somewhere on Opensea for a much lower price, perhaps from a time when it was worth significantly less.
Hackers found a way to buy the NFTs from these old listings, negating the most recent ones and transferring ownership automatically to them. By selling them on very quickly, they could turn a hefty profit without getting caught.
At least eight high-value NFTs were stolen as a result of the bug. Their combined value is estimated at nearly $1.4 million- if not more. None of them were bought for over $2,000, which means incredible losses for the original owners. According to the first analysis, three hackers were involved with eight individual hacker wallets.
One example was Bored Ape #9991 from the lucrative blue-chip collection, Bored Apes Yacht Club. On Monday, 25th of January, someone bought the token for 0.77 ETH, which equates to around $1747. A mere 20 minutes later, the same NFT was re-sold for 84.2 ETH or 189,040 US Dollars. In less than half an hour, the hacker made a profit of more than $180,000 without the original owner knowing a thing.
The victim tweeted their shock and confusion, seemingly hearing about the transaction via a direct message. In the tweet, they confirmed that they did not list Bored Ape #9991 for sale and had no idea how their prized possession now belonged to somebody else.
Other stolen tokens came from collections including Cool Cats, CyberKongz, and Mutant Ape Yacht Club. Reports from Opensea show that a single hacker made more than $900,000 in profits from the attack.
One of the hackers actually sent money to two of the victims, compensating them for the loss of their NFTs- all be it nowhere near the full amount. Of course, all transactions were completely untraceable, thanks to a program called Tornado Cash.
It is worth noting that this is not the first hacker attack on NFT wallets. Phishing attacks where people break into wallets and steal NFTs have been known to happen, but not on a marketplace-wide scale.
The possibility to list an NFT without canceling the old listing first is now gone, so this kind of attack should no longer be a threat for new Opensea users. They can now view a list of all inactive listings on their account and cancel them with the click of a button.
Many people are not satisfied with the fix, stating that it only tackles part of the problem. Older users may still be vulnerable if the cancellation listings manager does not extend back to historic account activity.
Further fixes are set to launch any day, including notifications for anyone moving a new NFT into their account that has an open listing. It is a start, but this attack has listed the lid on what many see as a fundamental issue with NFT marketplaces.
It is no secret that some of the most creative a clever digital minds belong to those who are not necessarily out there to do good for the world but more for themselves. The rising rates of hacker attacks on major NFT marketplaces raise questions about security and how to develop it.
Opensea acted quickly to stop the problem, but they must continue to improve safety measures and keep up with those on the other side of the screen.