OpenSea Bug Allows Attackers to Steal Bored Apes at Massive Discounts
Taking advantage of the exploit, an OpenSea user 'jpegdegenlove,' who only created the account this month was also able to snap up BAYC #8924 for 6.66 ETH worth $14,700 and #8274 for just under 23 ETH or $50,800. The floor price for a BAYC NFT currently stands at 86 ETH, which is just under $200,000 at the time of writing.
Jpegdegenlove also bought two Mutant Ape NFTs, a Cool Cats NFT, and a CyberKongz NFT, and appears to have gained about 332 ETH worth $733,500 using the exploit. Etherscan has since aptly labeled jpegdegenlove’s account as 'OpenSea Opportunistic Buyer'.
In a Twitter thread, Rotem Yakir, a developer at the decentralized money business Orbs.com, explained that the bugs apply to those who re-listed their NFTs without properly canceling them.
For instance, if someone was using OpenSea to put an NFT for sale and later decided to cancel it, the platform would still charge for a delisting fee. However, to avoid the transaction fees, some of the users resorted to transferring the NFTs to another wallet (preferably their own), in an attempt to cancel the listing fee.
While OpenSea removes the NFT listing from the website’s frontend, the order remains still active if it wasn’t canceled on-chain. Because of this, when a collector moves their NFTs back to their original wallet, the listing becomes visible or listed for sale on NFT marketplaces that aggregate listing orders from OpenSea. This effectively allows anyone to snipe the NFTs at the original listing price even if the owner did not intend to list the item for sale.
An earlier exploit on December 31 witnessed a similar scenario where an issue appeared to come from the transfer of assets from the OpenSea wallet to a separate wallet without the listing being canceled. The flaw was reported after the December occurrence, but no action was taken by the NFT platform to resolve it.
