Hacker Exploits OpenSea Bug That Undervalue NFTs To Buy And Flip Bored Apes

Scammers appear to be taking advantage of an OpenSea bug in order to purchase valuable NFTs at a considerably cheaper price than their current listing.

Several researchers and developers have detailed the ongoing problem, with some claiming that specific NFTs worth hundreds of thousands of dollars have been stolen by exploiting the platform’s bug.

OpenSea Bug Opens Platform To Hack

According to reports, a fault in the front end of prominent nonfungible token (NFT) marketplace OpenSea has resulted in an exploit that allows users to acquire popular NFTs at their prior listing price.

The issue appears to be prevalent with Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) NFT collectibles, where the exploiter was able to purchase them for their original listing price and subsequently sell them for the current market price. BAYC #9991, BAYC #8924, and MAYC #4986 are among the affected NFTs.

The hack was brought to light after NFT collector “TBALLER” tweeted that their rare Bored Ape #9991 sold for a pittance of.77 ETH, or $1,775 early Monday morning.

The buyer, who goes by “jpegdegenlove,” flipped the ape NFT almost immediately for 84.2 ETH, or roughly $200,000. The user has been able to flip about 332ETH ($754,000).

Reported exploiter Ether wallet balance Source: Etherscan

PekShieldAlert — the popular security firm PeckShield’s real-time alerts bot – alerted of an OpenSea front-end flaw earlier today, noting that the exploited had already obtained 332 ETH worth around $750K at the time.

According to cryptocurrency analysis firm Elliptic, at leaOpenSeast three attackers have purchased NFTs with a total market worth of slightly more than $1 million utilizing the weakness since Monday morning. “By exploiting this flaw, one attacker today paid a total of $133,000 for seven NFTs—before quickly selling them on for $934,000,” the firm’s blog read.

In a Twitter thread, Rotem Yakir, a developer at the decentralized money business Orbs.com, explained the vulnerability. People who relisted their NFTs without canceling them and then sold them at a higher price could have them bought at a cheaper price through the glitch, according to Yakir.

Earlier today, security researcher Tal Be’ery corroborated Elliptic and Yakir’s discovery by displaying data from the Ethereum blockchain confirming that Bored Ape Yacht Club #8274 was purchased in July for $50,500 (22.9 ETH) and resold for about $296,000. (130 ETH).

Related article | What Went Wrong In The Crypto.com (CRO) Hack? Experts Weigh In

This Exploit Is Not New

An earlier exploit on December 31 witnessed a similar scenario, in which a problem appeared to come from the transfer of assets from the OpenSea wallet to a separate wallet without the listing being cancelled.

According to one user, if someone using OpenSea put an NFT for sale and later decided they didn’t want that ad to remain active, the platform would charge for its removal. This, however, can be pricey, therefore users devised a workaround where they transferred the NFT to another wallet, thereby canceling the listing.

OpenSea didn’t address the issue when it was reported.

Related article | BitMart Leaves Users On Read As Victims Of Hack Await Refunds

Users can see if their listing has been removed from Rarible, another NFT marketplace that makes use of OpenSea’s API. According to the user, the flaw was reported after the December occurrence, but no action was taken to resolve it.

Opensea BUG ETH

ETH/USD hovers above $2,400. Source: TradingView

It’s worth noting that this problem arose as a result of the intended design of OpenSea, a centralized service that uses decentralized coins. It’s difficult to classify this as a hack or even a bug. OpenSea informs consumers that this is how its service works, which has resulted in numerous scams. The OpenSea bug shows that it is a sloppy marketplace, and if users aren’t cautious to follow proper practices, they may be exploited by more savvy users.

Whether the OpenSea bug is  being treated as an open security flaw or a result of user error is currently unclear.

Featured image from Unsplash, chart from TradingView.com and Etherscan

Source: Bitcoinist News