An OpenSea Bug Let Attackers Snatch NFTs from Owners at Six-figure Discounts

A bug in OpenSea, the popular NFT marketplace, has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners -- and hundreds of thousands of dollars in profits for the apparent thieves. From a report: The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to "steal" NFTs with a market value of over $1 million. One of the NFTs, Bored Ape Yacht Club #9991, was purchased using the exploit technique for 0.77 ETH ($1,760) and quickly resold for 84.2 ETH ($192,400), netting the attacker a profit of more than $190,000. An Ethereum address linked to the reseller had received more than 400 ETH ($904,000) in payouts from OpenSea in the same 12-hour period.

"It's a subjective thing whether you consider this to be a loophole or a bug, but the fact is that people are being forced into sales at a price they wouldn't otherwise have accepted right now," said Tom Robinson, chief scientist and co-founder of Elliptic. According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea's user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application.

Re:

[Anonymous Coward]

It's a feature. Duh.

None of the above; "Code is law"

Then "Bugs are justice"

Re: "loophole or a bug"?

[anonymouscoward52236]

"Steal" an NFT by changing a single pixel on an existing NFT and then selling it to some idiot for $190,000.

Re:

[Lehk228]

or just right click on it

Oh no!

[Baron_Yam]

Somebody stole my nothing!

Re:

[Anonymous Coward]

Probably a woman trying to figure out what this "Nothing Box" thing her husband keeps talking about is.

Re: Oh no!

[alexgieg]

The tulip market has been very dynamic recently.

Re:

[gweihir]

Somebody stole my nothing!

Nice one!

Re:

[DontBeAMoran]

You win the Internet for this week. Take good care of it and don't drop it otherwise the elders will ban you.

Re:

[Baron_Yam]

Didn't we tell you? Oh. You think that's the Internet because we... we told you that was the Internet. Yes, of course it's the Internet, Jen.

Re:

[Growlley]

No they just applied a 5 finger discount.

Re: Oh no!

[sectokia]

With bitcoin there is at least the presence of not money laundering. But a picture of an ape for $200,000â¦. hahaha. Just shows how pathetic most governments are.

Oh noes!

[Black Parrot]

Someone funged my tokens!

I'm sure..

[Junta]

Some crypto-advocates will be along real soon to explain how this is actually a good thing, or how this somehow doesn't count as an issue with crypto and should be ignored.

Re:

[nightflameauto]

I'm no crypto-bro, but I have to think the more hard-hit people jumping on the NFT bandwagon are, the more likely the whole joke collapses on itself. In the end, that would be a positive.

Re:

[Rockoon]

Not a crypto guy, but honestly the whole thing is a joke.

The premise of this "scandal" is that the seller of these NFT's lost money.... but the NFT's didnt cost the seller anything to begin with, yeah?

NFT's sold for less than expected. Big deal. Why not articles about how something actually tech related is selling for sell or more than expected?

It IS a good thing.

[mmell]

The people who lost money are (IMHO) too stupid to be trusted with it. Presumably, the beneficiaries in this act will be smarter with their ill-gotten booty . . . and let me be the first to say, ROFLMAO.

Re:

[gweihir]

Obviously it is both a good thing for crypto and has nothing to do with crypto at the same time! Can't let that opportunity go to waste, after all...

Humans confirmed for massively stupid

[Rick Schumann]

Proof: NFTs.

Crying for attention hoping to create 'worth'.

[jimtheowl]

Isn't it odd how it is always the same "bored Ape" shit that keeps getting "stolen" and "resold".

Quit trying to draw attention to this self inflicted bullshit.

Re:

[neilo_1701D]

Isn't it odd how it is always the same "bored Ape" shit that keeps getting "stolen" and "resold".

It's like the ultimate McGuffin, isn't it?

Re:

[DontBeAMoran]

I must be hungry, I read that as "McMuffin".

Re:

[gweihir]

Hehehehe, "All my Apes! Gone!", hehehehehe. Epic quote!

I sliped up and rtfa

[Angry Coward]

I wanted to know what was actually happening and the summery doesn't actually say, so I went and read the actual article which does. It seems to me that the problem is with the people the summary claims are being stolen from. Here's how it works, at least as as much as anything nft related can be described as working.

Bob owns an NFT of Natlie Portman covered in hot grits looking at the goatse picture. He lists the NFT for sale for $10 because he can't imagine anyone will pay much for a goatse picture. He then changes his mind and thinks people like looking at hot grits and decides he should up the price. Bob has agreed he must pay a fee if he wishes to withdraw a contract, and doesn't want to do that so he moves it to the back of the bulletin board announcing all nft's for sale thinking noone will see it there. He then posts a new listing on the front of the board offering the nft for sale for $100,000. Alice comes along and realizes there are contracts stapled to the back of the board that aren't publicly visible. She takes bob's original contract, which he did not cancel, only hid from low effort public view, and executes it, buying the nft for $10. Bob is now angry and has been defrauded for $100,000?

Re:I sliped up and rtfa

[OrangeTide]

Yeah, thanks for summarizing this better than the editors. The click bait headline and first paragraph were a bit misleading. "Market price" my ass.

FTFA (emphasis mine):

If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API.

So the blockchain works, people can fool a front-end but can't lie to the blockchain. I don't like NTFs or defi coin or cryptocurrency stuff, but this bug should be closed as WNF/Working As Designed.

Re:

[drkshadow]

If the NFT has been transferred out of the first wallet's control, how is the old contract still valid? (is it because it's transferred back into the first? why would that make a difference, shouldn't it be a different "point-in-the-blockchain" nft?)

Re:

[quantaman]

Yeah, thanks for summarizing this better than the editors. The click bait headline and first paragraph were a bit misleading. "Market price" my ass.

FTFA (emphasis mine):

If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API.

So the blockchain works, people can fool a front-end but can't lie to the blockchain. I don't like NTFs or defi coin or cryptocurrency stuff, but this bug should be closed as WNF/Working As Designed.

In that case the design itself is broken.

This is the whole crypto thing in a nutshell. It looks great in an abstract theoretical sense, but put into practice it simply doesn't work with human nature.

Do you really want a system where a simple easy to make mistake can cost you hundreds of thousands of dollars?

Re:

[jythie]

Huh. That really does not sounds like a loophole or a bug, but just user error.

Who wrote these contracts?

[Nkwe]

Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application.

So there are old open electronic contracts floating around that don't have an expiration date and also don't have a condition that checks to see if the item has been subsequently sold? Sounds like very poorly written contracts.

In normal business deals, most companies have contract lawyers that try to prevent such nonsense by reviewing contracts to make sure they are solid and don't have loopholes. Sounds like these "smart" contracts aren't so smart. Not that they couldn't be smart enough but clearly they are not yet. This highlights the risk when you try to automate complex systems with technology and fail to include full analysis and fail to account for the human element.

Re:

[srg33]

Just to continue the conversation . . .
It seems that "a condition that checks to see if the item has been subsequently sold" was not implicated here.
Contracts without expiration dates can be a big problem. In business, I occasionally see concurrent contracts with different pricing etc. (cash versus mortgage contingency etc.).
Here, the sellers failed to withdraw/cancel old contracts because they were cheap & stupid.

Re:

[nasch]

Contracts without expiration dates can be a big problem.

As Coca-Cola discovered.

https://www.zycus.com/blog/con... [zycus.com]

Re:

[splutty]

It costs money to cancel the first contract to be able to make a new contract with a higher value.

So people just make a new one and don't cancel the first one, however the first one still exists, and people can still find it and execute it.

Simplified, but it's people being fucking stupid, lazy and greedy, and getting caught with their pants down.

Zero copulations given.

Re:

[gweihir]

Simplified, but it's people being fucking stupid, lazy and greedy, and getting caught with their pants down.

That sums it up very nicely. The good thing is that the rest of the world can just look on in amazement and otherwise ignore this crap. Unlike if, say, some major OS vendor pushes a patch that breaks things or some widely used library has a bad vulnerability.

Rare NFT?

[thomn8r]

How in the hell is an NFT "rare"?

Re:

[Pascoea]

They are, by definition, rare. Each one is literally guaranteed to be one-of-a-kind. You can absolutely possess the same 1s and 0s in the same order as my NFT, but being non-fungible means your 1s and 0s are not the same as mine. Dollar bills are not rare, but dollar bill serial number B03072936 is absolutely rare.

Re:

[neilo_1701D]

They are, by definition, rare. Each one is literally guaranteed to be one-of-a-kind. You can absolutely possess the same 1s and 0s in the same order as my NFT, but being non-fungible means your 1s and 0s are not the same as mine. Dollar bills are not rare, but dollar bill serial number B03072936 is absolutely rare.

Wait.... that's it??? That's what drives the insane pricing on NFTs? It's the fact that this URL is different to that URL?

Because if that's the case, I've got a mountain of GUIDs that I'd like to sell.

Re:

[Pascoea]

Wait.... that's it??? That's what drives the insane pricing on NFTs? It's the fact that this URL is different to that URL?

I specifically avoided the "value" subject. But, essentially, yes. That's what drives the value. There's a public ledger that says I who I who I purchased my 1s and 0s from. To continue the $1 bill analogy: Say we both have a dollar bill. I have indisputable proof that my dollar bill was brought to the moon and back on Apollo 11, yours is just a random bill. On face value, they are identical (fungible) at the corner store, worth one dollar. But, because of the pedigree, mine is worth a lot more than

Re:

[Luthair]

Except they aren't guaranteed to be unique. The purchaser isn't buying the copyright, the author still retains it and can issue as many 'prints' as they want.

Re:

[Pascoea]

Unless I'm completely off base with my understanding, those two "prints" are still unique. That's the definition of non-fungible, one doesn't equal the other, they are not interchangeable. Even if the creator goes back and creates a dozen more, I still have (and can prove I have) the first one. That's the point of these being non-fungible, and tracked on a blockchain, there is irrefutable proof of who has what. I'm not going to argue the "value" side of things, as that is in the eye of the beholder. The

Re:

[DontBeAMoran]

Kinda like limited edition prints, where each one is exactly the same but they all have a different serial number on the back, for example?

Re:

[gweihir]

How in the hell is an NFT "rare"?

Simple: If the ersatz "journalist" is trying to make things sound better.

Re:

[DontBeAMoran]

In exactly the same way Disney movies go back to the "Disney Vault [wikipedia.org]" after a fixed period of time and are no longer available.

Not sure if they still do that, but the first time I heard about it I thought it was a bullshit way to market your own product by creating artificial scarcity.

Re:

[UnknownSoldier]

Josh Strife Hayes has an excellent video What the hell are NFT's? [youtube.com] explaining how NFTs can be unique AND still be a scam.

The blockchain is being used to track your unique position in a queue. That unique position has a link to an (art) asset. You don't own the asset, nor any rights to it. You are buying/selling your unique position in a queue. The fact that you can Right-Click, Save As to make a copy of the art asset means NFT has no intrinsic value except for stupid people who think they are buying "sta

An interesting consequence of "code is law"

[istartedi]

An interesting consequence of the "code is law" mantra is that "bugs are law". In the real world, this is fixed by judges and/or legislators. In the cyberworld, maybe it's not so easy.

Uninformed auctioneers are dangerous

[laughingskeptic]

This is like a seller selling a house that is already under an non-closed sales contract via an auctioneer to a second buyer ... and for significantly more. Describing this as theft instead of a mea culpa on their own incompetence just reinforces the notion of incompetence. The existing contract was in the block-chain so the auctioneer should never have accepted the NFT for auction.

I may be old and grumpy but

[mrthoughtful]

I may be old and grumpy but anyone spending real money on NFTs is barking mad. It’s my opinion and I’m entitled to it.

Re:

[gweihir]

I am not sure these people are mad. They sure behave like they are though. Maybe "... for they do not know what they are doing"?

Crypto Uptime

[raftpeople]

Here at Crypto XYZ, safety is our #1 priority: It's been 18 hours since our last hack

Hahahahaha

[gweihir]

Crypto/NFT crapware. Nice! If a real bank would operate remotely this incompetently, it would get closed and liquidated.

Re:

[DontBeAMoran]

I know just the guy for this. You may have heard of him, his name is Brunt [wikipedia.org].

The wild wild west

[Mazzachre]

I can see how NFTs and crypto appeal to tech-bros... No laws, no rules, completely virtual money like a computer game, spending millions of non-existing money...