THE OpenSea is the largest NFT marketplace in the world, being the platform for the purchase and sale of different successful collections within the sector. However, for some the platform has given a certain headache, and now a vulnerability allowed a hacker attack to “steal” more than BRL 4 million, mainly affecting sales of the collection Bored Ape.
Alerts began through social networks, with profiles warning that apparently, a vulnerability in the OpenSea front-end allowed a hacker to steal about 332 Ethers, about 4.3 million reais.
It appears that @opensea has a front-end issue and the exploiter gained about 332 Etherhttps://t.co/35kCB1n7nv
— PeckShieldAlert (@PeckShieldAlert) January 24, 2022
Soon after, the first reports of how the possible hacker attack works began.
According to some users, a bug in the OpenSea front-end allows attackers to be able to buy collections using old listing values, that is, it is possible to buy NFTs well below the current price of a collection.
User regrets loss
One of the main collections affected by the exploit was the famous Bored Ape, with hackers managing to pay only 1700 dollars in NFTs that usually cost 200 thousand dollars.
lol so there is an OPENSEA bug that lets you buy listings and old price … and they are going after alll ape owners. Bunch just got bought for under 25 eth. OPENSEA just rugging Bayc owners now
— The Autistic Wizard (@wizardofsoho) January 24, 2022
One of the owners of an NFT Bored Ape took to Twitter to vent about having “lost” one of his NFTs.
“I just lost an Ape, guys… I’m crying… How did that happen?
I just lost an ape guys…. I’m crying…. How did this just happen????😢😢😢😢😢😢😢😢😢😢😢😢😢😢😢
— TBALLER.eth (@T_BALLER6) January 24, 2022
TBallerr owned Ape 9991, which because of the OpenSea exploit was sold for just 0.77 Ethereum (about US$1,700), next to nothing compared to the minimum price of the collection, which hovers around US$200,000.
Apparently the exploit works because of a shortcut that some were using on the OpenSea platform. When a user wants to remove an NFT from the listing, they have to pay a fee (sometimes a very high fee).
However, as many do not want to pay this fee, they took another path: They sent the NFT to another address and the listing is automatically removed.
And this is where the problem started: Despite the listings disappearing on OpenSea, the truth is that it is still active through the platform API. And it was precisely through these “ghost listings” that many NFTs were “stolen” from their owners, being bought for much lower values than what they were really worth.
TBaller’s Ape buyer, identified as jpegdegenlove, was also able to buy the Bored Ape 8924 for 6.66 ETH and the 8274 for just under 23 ETH, about $64K.
The market value of each is at least 86 ETH, around US$ 200,000. That is, he left a great loss for the former owners of the tokens.
At the moment the best thing to do for NFT collectors is to ensure that no NFTs are listed for sale through this exploit. One of the ways to do this is through the website orders.rarible.com, which uses the OpenSea API and allows you to see if there is a listing of your collections and by what value they are listed.
To completely cancel the listing you will need to pay network fees, but it’s better than losing your collection altogether.