OpenSea users recently suffered significant losses after attackers exploited a bug in one of its smart contracts. Per a recent report by blockchain analysis firm Elliptic, the bug allowed them to purchase popular NFTs, including Bored Ape Yacht Club, at prices significantly lower than the market rate.
Follow our coverage, as hackers exploit a bug to steal $1 million in NFTs from users of the OpenSea NFT marketplacehttps://t.co/r1v8btf2bP
— elliptic (@elliptic) January 24, 2022
So far, at least three attackers have leveraged the vulnerability and purchased 8 NFTs in the 12 hours. Elliptic noted that the hackers stole NFTs with a market value of just over $1 million. Offering an instance, the firm wrote:
“One attacker, going by the pseudonym “jpegdegenlove” today paid a total of $133,000 for seven NFTs – before quickly selling them on for $934,000 in ether. Five hours later this ether was sent through Tornado Cash, a “mixing” service that is used to prevent blockchain tracing of funds.”
According to Elliptic, the attacker used a bug that let them access the previous prices of NFTs listed on OpenSea. Sellers who want to relist their prices after their NFTs rise in prices would need to cancel the first listing, but doing so may result in hefty gas fees.
However, users can leverage a mechanism where they can re-list their NFTs by transferring the NFT to another wallet, then back to the original wallet. However, the previous listings remain at the backend of OpenSea and can be accessed through the OpenSea API.
Affected NFTs were from collections Bored Ape Yacht Club, Mutant Ape Yacht Club, CyberKongz, and Cool Cats.
Yooo guys! Idk what just happened by why did my ape just sell for .77?????
— TBALLER.eth (@T_BALLER6) January 24, 2022