A bug in the code of the popular NFT trading platform OpenSea allowed scammers to buy rare NFTs at a price well below the market price and resell them thousands of times more.
Apparently, the vulnerability was exploited for several weeks. But the exploitation of the bug increased in recent days. According to Elliptic analysts, in the 12 hours since the morning of January 24, scammers used the vulnerability at least eight times to buy rare NFTs with a total value of more than $1 million.
One of the NFTs, Bored Ape Yacht Club #9991, was purchased using an exploit for 0.77 ETH ($1,760) and immediately resold for 84.2 ETH ($192,400). Over a 12-hour period, the Ethereum address associated with the attacker received over 400 ETH ($900,000) in payouts from OpenSea.
According to a tweet by software developer Rotem Yakir, the error is caused by a mismatch between the information available in NFT smart contracts and the information provided by the OpenSea user interface. Essentially, attackers used old smart contracts that were stored on the blockchain but are no longer present in the OpenSea application interface.
When selling NFTs, an OpenSea user sets the list price for potential buyers. If the buyer agrees to this price, the transaction is carried out automatically through a smart contract. If the owner of the NFT wants to increase the value of the token, then he must cancel the first smart contract paying for this operation with gas, and then place a new smart contract. Because the cost of canceling a smart contract currently reaches tens or even hundreds of dollars, users prefer to bypass this procedure. They transfer NFT to another wallet, and then back to the original one. This method removes the list of previous sell smart contracts from the OpenSea app interface, but they remain active on the blockchain. Such “outdated” but active smart contracts could presumably be found through the OpenSea API, which was exploited by the attackers.
According to CoinDesk, the bug was discovered as early as December 31, 2021. A tweet written almost two weeks ago on January 12, 2022 details the forced sale of NFTs using the same method.