The popular NFT marketplace OpenSea has reportedly refunded 750 Ethereum (ETH) (currently approximately $1.8/€1.6 million) to users affected after an exploit was misused. For example, various NFTs could be sold for below their current market price.
Abuse of vulnerability
Several popular NFTs, including those from the Bored Ape Yacht Club (BAYC) collection, were sold at their old, cheaper offer prices after exploiting a vulnerability in the system. They could then be sold for the original price, so that the hackers could easily make a profit.
Due to the exploit, the entries were never officially canceled on the blockchain, while OpenSea’s user interface indicated that it did.
This has happened because tech-savvy buyers have used services like Tornado Cash to funnel funds to crypto wallet addresses without disclosing the source. These funds could then be used to buy NFTs at old quoted prices.
Do you want to trade Ethereum on one of the largest and most reliable exchanges in the world? click here and go to KuCoin.
Exploit is not new
The exploit that has now been used does not appear to be new. The Ethereum blockchain requires users to pay a gas fee to carry out transactions. This gas fee is also paid to cancel listings on, among others, OpenSea that have not yet expired.
This has enabled OpenSea to implement selectable expiration dates on their platform. Before this, however, many holders of NFTs had so-called inactive lists, to which no expiry date was linked. These quotations had to be canceled manually, against a gas fee to be paid. These inactive lists pose a risk to the users.
loophole
In order to avoid, among other things, these gas allowances, a loophole has been found. When NFTs are transferred to a secondary wallet and then transferred to the original wallet, the message disappeared from the OpenSea user interface.
Where the entry did disappear in the user interface, it did not disappear within the ETH blockchain. In reality, instead of ‘active’, the listing was simply set to ‘inactive’. In turn, these inactive lists can simply be bought by blockchain experts who interact directly with smart contracts. This is where it went wrong for many users, after which they became victims of the vulnerability.
So now some of the users have been told that they would get (part of) their loss back from the platform, in Ethereum. This is generally well taken care of by the crypto community. In addition, the company has issued a warning to NFT owners regarding inactive listings. They saw the following about this:
“Please take urgent action to cancel inactive listings if you haven’t already.”