OpenSea Bug Enables Attacker to Gain 332 ETH

  • The bug, which allows exploiters to make NFT purchases at incredible discounts, has been spotted as far back as December 2021.
  • This exploit has allows one individual to make a profit of 332 ETH through several Bored Ape Yacht Club and Mutant Ape Yacht Club collectibles.
NFT

Shutterstock

A front end bug on popular non-fungible token (NFT) marketplace OpenSea has reportedly enabled an attacker to gain around 332 ETH through massively discounted purchases, Peck Shield Alerts warned on 24 January.

OpenSea user named jpegdegenlove is suspected of exploiting the bug, which allowed him to purchase several NFTs at their old listing price, and then resell them for the current market price. The NFTs in question were Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) collectibles — BAYC #9991, BAYC #8924, MAYC# 4986 — which netted the attacker a profit of around 332 ETH.

When an OpenSea user decides to cancel their NFT listing the marketplace charges them with a significant delisting fee, which some users go around by transferring their asset to a different wallet, automatically removing their listing. Using this method the listing is removed on the front end of OpenSea, but remains active on the marketplace’s API, and once the asset is transferred to the original wallet, attackers can use Rarible — which uses OpenSea’s APIs to display and fulfill listings — to purchase the NFTs at their old price.

The bug was apparently flagged back in December, but the platform has not taken any measures against it so far. Whit its explosion in popularity — OpenSea’s monthly volume has almost reached $5 billion this month alone — NFTs have not only attracted the attention of investors, but malicious actors too. Earlier this year. sports-focused NFT platform Lympo suffered an attack which saw 165.2 million of its LMT tokens being taken from its hot wallets.

Discussion
Related Coverage
Unibot to Compensate Users Affected by Exploit
  • Popular Telegram bot Unibot, which is used to snipe trades on Uniswap, became a victim of a token approval exploit earlier today, when it was switching to a new router.
  • After confirming the exploit, Unibot assured users that their keys and wallets were safe, and that the project will compensate all affected users.
October 31, 2023, 3:01 PM
unlock

Shutterstock

Balancer Exploited After Giving Warning
  • DeFi protocol Balancer confirmed it was exploited almost a week after disclosing a critical vulnerability affecting several of its boosted pools.
  • The platform did its best to mitigate some of the risks but was unable to pause the affected pools, and an estimated $980,000 in DAI were stolen in an attack.
Zunami Protocol’s Stablecoin Pools Exploited, Suffers $2.1M Loss
  • DeFi yield aggregator Zunami Protocol confirmed that a hacker had attacked its “zStables” pools on Curve Finance using a price manipulation exploit.
  • Security firm PeckShield has estimated that over $2.1 million was lost during the attack, while SlowMist said it had informed Zunami of the vulnerability two months ago.