OpenSea Bug Enables Attacker to Gain 332 ETH

A front end bug on popular non-fungible token (NFT) marketplace OpenSea has reportedly enabled an attacker to gain around 332 ETH through massively discounted purchases, Peck Shield Alerts warned on 24 January.

OpenSea user named jpegdegenlove is suspected of exploiting the bug, which allowed him to purchase several NFTs at their old listing price, and then resell them for the current market price. The NFTs in question were Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) collectibles — BAYC #9991, BAYC #8924, MAYC# 4986 — which netted the attacker a profit of around 332 ETH.

When an OpenSea user decides to cancel their NFT listing the marketplace charges them with a significant delisting fee, which some users go around by transferring their asset to a different wallet, automatically removing their listing. Using this method the listing is removed on the front end of OpenSea, but remains active on the marketplace’s API, and once the asset is transferred to the original wallet, attackers can use Rarible — which uses OpenSea’s APIs to display and fulfill listings — to purchase the NFTs at their old price.

The bug was apparently flagged back in December, but the platform has not taken any measures against it so far. Whit its explosion in popularity — OpenSea’s monthly volume has almost reached $5 billion this month alone — NFTs have not only attracted the attention of investors, but malicious actors too. Earlier this year. sports-focused NFT platform Lympo suffered an attack which saw 165.2 million of its LMT tokens being taken from its hot wallets.