An OpenSea Bug Let Attackers Snatch NFTs from Owners at Six-figure Discounts (theverge.com) 54
A bug in OpenSea, the popular NFT marketplace, has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners -- and hundreds of thousands of dollars in profits for the apparent thieves. From a report: The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to "steal" NFTs with a market value of over $1 million. One of the NFTs, Bored Ape Yacht Club #9991, was purchased using the exploit technique for 0.77 ETH ($1,760) and quickly resold for 84.2 ETH ($192,400), netting the attacker a profit of more than $190,000. An Ethereum address linked to the reseller had received more than 400 ETH ($904,000) in payouts from OpenSea in the same 12-hour period.
"It's a subjective thing whether you consider this to be a loophole or a bug, but the fact is that people are being forced into sales at a price they wouldn't otherwise have accepted right now," said Tom Robinson, chief scientist and co-founder of Elliptic. According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea's user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application.
"It's a subjective thing whether you consider this to be a loophole or a bug, but the fact is that people are being forced into sales at a price they wouldn't otherwise have accepted right now," said Tom Robinson, chief scientist and co-founder of Elliptic. According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea's user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application.
Re: (Score:1)
It's a feature. Duh.
None of the above; "Code is law"
Then "Bugs are justice"
Re: "loophole or a bug"? (Score:2)
"Steal" an NFT by changing a single pixel on an existing NFT and then selling it to some idiot for $190,000.
Re: (Score:2)
Oh no! (Score:5, Funny)
Somebody stole my nothing!
Re: (Score:1)
Probably a woman trying to figure out what this "Nothing Box" thing her husband keeps talking about is.
Re: Oh no! (Score:3)
The tulip market has been very dynamic recently.
Re: (Score:2)
Somebody stole my nothing!
Nice one!
Re: (Score:2)
You win the Internet for this week. Take good care of it and don't drop it otherwise the elders will ban you.
Re: (Score:2)
Didn't we tell you? Oh. You think that's the Internet because we... we told you that was the Internet. Yes, of course it's the Internet, Jen.
Re: (Score:1)
Re: Oh no! (Score:2)
Oh noes! (Score:4, Funny)
Someone funged my tokens!
I'm sure.. (Score:2)
Some crypto-advocates will be along real soon to explain how this is actually a good thing, or how this somehow doesn't count as an issue with crypto and should be ignored.
Re: (Score:3)
I'm no crypto-bro, but I have to think the more hard-hit people jumping on the NFT bandwagon are, the more likely the whole joke collapses on itself. In the end, that would be a positive.
Re: (Score:2)
The premise of this "scandal" is that the seller of these NFT's lost money.... but the NFT's didnt cost the seller anything to begin with, yeah?
NFT's sold for less than expected. Big deal. Why not articles about how something actually tech related is selling for sell or more than expected?
Re: (Score:2)
Re: (Score:2)
Obviously it is both a good thing for crypto and has nothing to do with crypto at the same time! Can't let that opportunity go to waste, after all...
Humans confirmed for massively stupid (Score:2)
Crying for attention hoping to create 'worth'. (Score:2)
Quit trying to draw attention to this self inflicted bullshit.
Re: (Score:2)
Isn't it odd how it is always the same "bored Ape" shit that keeps getting "stolen" and "resold".
It's like the ultimate McGuffin, isn't it?
Re: (Score:2)
I must be hungry, I read that as "McMuffin".
Re: (Score:3)
Hehehehe, "All my Apes! Gone!", hehehehehe. Epic quote!
I sliped up and rtfa (Score:5, Informative)
I wanted to know what was actually happening and the summery doesn't actually say, so I went and read the actual article which does. It seems to me that the problem is with the people the summary claims are being stolen from. Here's how it works, at least as as much as anything nft related can be described as working.
Bob owns an NFT of Natlie Portman covered in hot grits looking at the goatse picture. He lists the NFT for sale for $10 because he can't imagine anyone will pay much for a goatse picture. He then changes his mind and thinks people like looking at hot grits and decides he should up the price. Bob has agreed he must pay a fee if he wishes to withdraw a contract, and doesn't want to do that so he moves it to the back of the bulletin board announcing all nft's for sale thinking noone will see it there. He then posts a new listing on the front of the board offering the nft for sale for $100,000. Alice comes along and realizes there are contracts stapled to the back of the board that aren't publicly visible. She takes bob's original contract, which he did not cancel, only hid from low effort public view, and executes it, buying the nft for $10. Bob is now angry and has been defrauded for $100,000?
Re:I sliped up and rtfa (Score:5, Informative)
Yeah, thanks for summarizing this better than the editors. The click bait headline and first paragraph were a bit misleading. "Market price" my ass.
FTFA (emphasis mine):
If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API.
So the blockchain works, people can fool a front-end but can't lie to the blockchain. I don't like NTFs or defi coin or cryptocurrency stuff, but this bug should be closed as WNF/Working As Designed.
Re: (Score:2)
If the NFT has been transferred out of the first wallet's control, how is the old contract still valid? (is it because it's transferred back into the first? why would that make a difference, shouldn't it be a different "point-in-the-blockchain" nft?)
Re: (Score:2)
Yeah, thanks for summarizing this better than the editors. The click bait headline and first paragraph were a bit misleading. "Market price" my ass.
FTFA (emphasis mine):
If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API.
So the blockchain works, people can fool a front-end but can't lie to the blockchain. I don't like NTFs or defi coin or cryptocurrency stuff, but this bug should be closed as WNF/Working As Designed.
In that case the design itself is broken.
This is the whole crypto thing in a nutshell. It looks great in an abstract theoretical sense, but put into practice it simply doesn't work with human nature.
Do you really want a system where a simple easy to make mistake can cost you hundreds of thousands of dollars?
Re: (Score:2)
Who wrote these contracts? (Score:3)
Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application.
So there are old open electronic contracts floating around that don't have an expiration date and also don't have a condition that checks to see if the item has been subsequently sold? Sounds like very poorly written contracts.
In normal business deals, most companies have contract lawyers that try to prevent such nonsense by reviewing contracts to make sure they are solid and don't have loopholes. Sounds like these "smart" contracts aren't so smart. Not that they couldn't be smart enough but clearly they are not yet. This highlights the risk when you try to automate complex systems with technology and fail to include full analysis and fail to account for the human element.
Re: (Score:2)
Just to continue the conversation . . .
It seems that "a condition that checks to see if the item has been subsequently sold" was not implicated here.
Contracts without expiration dates can be a big problem. In business, I occasionally see concurrent contracts with different pricing etc. (cash versus mortgage contingency etc.).
Here, the sellers failed to withdraw/cancel old contracts because they were cheap & stupid.
Re: (Score:2)
Contracts without expiration dates can be a big problem.
As Coca-Cola discovered.
https://www.zycus.com/blog/con... [zycus.com]
Re: (Score:3)
It costs money to cancel the first contract to be able to make a new contract with a higher value.
So people just make a new one and don't cancel the first one, however the first one still exists, and people can still find it and execute it.
Simplified, but it's people being fucking stupid, lazy and greedy, and getting caught with their pants down.
Zero copulations given.
Re: (Score:2)
Simplified, but it's people being fucking stupid, lazy and greedy, and getting caught with their pants down.
That sums it up very nicely. The good thing is that the rest of the world can just look on in amazement and otherwise ignore this crap. Unlike if, say, some major OS vendor pushes a patch that breaks things or some widely used library has a bad vulnerability.
Rare NFT? (Score:3)
Re: (Score:2)
Re: (Score:2)
They are, by definition, rare. Each one is literally guaranteed to be one-of-a-kind. You can absolutely possess the same 1s and 0s in the same order as my NFT, but being non-fungible means your 1s and 0s are not the same as mine. Dollar bills are not rare, but dollar bill serial number B03072936 is absolutely rare.
Wait.... that's it??? That's what drives the insane pricing on NFTs? It's the fact that this URL is different to that URL?
Because if that's the case, I've got a mountain of GUIDs that I'd like to sell.
Re: (Score:2)
Wait.... that's it??? That's what drives the insane pricing on NFTs? It's the fact that this URL is different to that URL?
I specifically avoided the "value" subject. But, essentially, yes. That's what drives the value. There's a public ledger that says I who I who I purchased my 1s and 0s from. To continue the $1 bill analogy: Say we both have a dollar bill. I have indisputable proof that my dollar bill was brought to the moon and back on Apollo 11, yours is just a random bill. On face value, they are identical (fungible) at the corner store, worth one dollar. But, because of the pedigree, mine is worth a lot more than
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Kinda like limited edition prints, where each one is exactly the same but they all have a different serial number on the back, for example?
Re: (Score:2)
How in the hell is an NFT "rare"?
Simple: If the ersatz "journalist" is trying to make things sound better.
Re: (Score:2)
In exactly the same way Disney movies go back to the "Disney Vault [wikipedia.org]" after a fixed period of time and are no longer available.
Not sure if they still do that, but the first time I heard about it I thought it was a bullshit way to market your own product by creating artificial scarcity.
Re: (Score:2)
Josh Strife Hayes has an excellent video What the hell are NFT's? [youtube.com] explaining how NFTs can be unique AND still be a scam.
The blockchain is being used to track your unique position in a queue. That unique position has a link to an (art) asset. You don't own the asset, nor any rights to it. You are buying/selling your unique position in a queue. The fact that you can Right-Click, Save As to make a copy of the art asset means NFT has no intrinsic value except for stupid people who think they are buying "sta
An interesting consequence of "code is law" (Score:2)
An interesting consequence of the "code is law" mantra is that "bugs are law". In the real world, this is fixed by judges and/or legislators. In the cyberworld, maybe it's not so easy.
Uninformed auctioneers are dangerous (Score:2)
I may be old and grumpy but (Score:3)
Re: (Score:2)
I am not sure these people are mad. They sure behave like they are though. Maybe "... for they do not know what they are doing"?
Crypto Uptime (Score:3)
Hahahahaha (Score:3)
Crypto/NFT crapware. Nice! If a real bank would operate remotely this incompetently, it would get closed and liquidated.
Re: (Score:2)
I know just the guy for this. You may have heard of him, his name is Brunt [wikipedia.org].
The wild wild west (Score:1)