Scammers exploited an OpenSea bug to acquire valuable NFTs at a far lower price than their current listings. Many researchers and developers claim that specific NFTs worth thousands of dollars were stolen by exploiting a weakness in the platform. Did the notorious BAYC sells for a discounted price on OpenSea?
According to multiple sources, a flaw in the front end of the popular NFT marketplace OpenSea resulted in exploitation that allowed users to purchase popular NFTs at their previous listing price.
The problem seemed prevalent with BAYC (bored ape yacht club) and MAYC NFT collectibles, where the hacker was able to buy them for their original listing price and then sell them for the current market value.
The affected NFTs included BAYC #9991, BAYC #8924, and MAYC #4986.
The breach was discovered after NFT collector “TBALLER” tweeted that their rare BAYC #9991 sold for pennies —.77 ETH, or $1,775.
The buyer, who was identified as “jpegdegenlove,” sold the ape NFT almost immediately for 84.2 ETH, or over $200,000.
What is OpenSea?
OpenSea is a decentralized peer-to-peer digital marketplace for buying, selling, and trading NFTs and other exclusive crypto collectibles. Indeed, OpenSea brands itself as the world’s largest marketplace for digital commodities. As a result, it’s worth taking a deeper look at OpenSea and what it brings to NFT trading.
Touted as the world’s first and largest NFT marketplace, users can find a wide range of unique digital items here. In addition to digital art, there are collectibles, domain names, gaming items, and even digital representations of physical assets. OpenSea functions similarly to eBay for digital assets, with millions of assets sorted into hundreds of categories.
Trading on OpenSea requires minimal trust. Users don’t have to trust their counterparts, to be honest, and don’t even have to charge OpenSea. Transactions rely on technology rather than reputation and smart contracts rather than third parties.
Furthermore, transactions on OpenSea are “atomic,” which means that either the entire transaction occurs or none of it occurs. The standard contractual arrangement of “if you do this, I’ll do that” suffices regardless of which party has to act first.
That’s because OpenSea utilizes the “Wyvern Protocol.” This protocol is a collection of audited and battle-tested smart contracts in real-world applications. The Wyvern Protocol allows users to exchange state changes such as NFT ownership for cryptocurrency ownership. As a result, when a seller sells their NFT, it instantaneously transfers to the buyer.
To participate in OpenSea, users need a wallet e.g. Metamask.
Consider a wallet as a tool for interacting with the blockchain, as well as something users need to purchase and sell on OpenSea. However, keep in mind that OpenSea does not take custody of assets. It only serves as a platform for peer-to-peer trading.
As a result, while OpenSea maintains extra data on its servers, it does not store your NFTs. Your NFTs are owned by a blockchain address, which you control using your private key or seed phrase.
A user revealed that if someone used OpenSea to list an NFT for sale and then decided they wanted to take down the ad, the platform would charge to remove it. Because this may be costly, users found a solution in which they moved the NFT to another wallet, therefore canceling the listing.
However, a developer in a tweet explained the vulnerability. According to the developer, users who relisted their NFTs without canceling them and then sold them at a higher price might have them bought at a lower price via the glitch.
It’s worth mentioning that this issue emerged as a result of OpenSea’s intended design, which is a centralized service that utilizes decentralized currency. However, this is tough to categorize as a hack or even a bug.
OpenSea notifies customers that this is how their service operates, which has resulted in a slew of frauds. The OpenSea vulnerability demonstrates that it is a sloppy marketplace, and more savvy users may exploit users who are not cautious about following correct rules.
Exploiting OpenSea’s Platform
The OpenSea platform’s security vulnerability allows a hacker to generate a malicious NFT and deliver it as a gift to target victims.
When the malicious NFT is viewed, a pop-up from the storage domain appears, requesting a connection to the target’s crypto wallet. Unsuspecting of the pop-up, the victim clicks to link their wallet to claim the gift (NFT), granting the hacker access to the user’s wallet.
A new pop-up window detailing the transaction is triggered, which is likewise sent from OpenSea’s storage domain. The hacker can steal the whole crypto wallet if the user clicks it without noticing the notification.
Victims are easily duped since each activity — even liking art in the system — on the platform will require a wallet sign-in. These notifications avoid suspicion since they are frequent system notices that consumers are used to seeing when using these services.
Will Bored Ape Sue OpenSea?
There’s been no report on such development. However, phishing attacks such as this are a major concern for crypto experts. So expect that a lot of people would be monitoring the situation as it progresses.
As the value of NFTs has risen throughout the course of 2021 and beyond, they have become a desirable target for hacking and phishing assaults. For example, cybercriminals stole hundreds of dollars worth of NFTs from the Nifty Gateway marketplace in March 2021, while in August 2021, pseudonymous developer Stazie was robbed of 16 CryptoPunks NFTs via a phishing attempt employing a malicious pop-up that sought their MetaMask wallet seed phrase.
Hacking and phishing scams are prevalent in the crypto world. While such attacks are pervasive across the internet, targeting everything from job credentials to credit card details, they are especially prevalent in cryptocurrency. Transactions are virtually hard to reverse once a user’s crypto is swiped.
Therefore, users across NFT listing platforms like OpeanSea should at all times adhere strictly to proper guidelines and protocols of such platforms to diminish their exposure to cyberattacks and exploitations