Exploiting OpenSea's "vulnerability", attackers buy other people's NFTs at a low price and sell them at a high price

On January 24, NFTs of multiple OpenSea users were bought at expired low prices and quickly resold at high prices. The affected NFT assets include Bore Ape Yacht Club, CoolCats, CyberKongz, etc. One of them, Bore Ape Yacht Club, was bought at the old price of 0.77 ETH and resold for 84.2 ETH within an hour. The holder of the NFT said on Twitter that he had not sold the NFT at the price of 0.77 ETH recently.

The transaction page shows that an OpenSea account named jpegdegenlove operated these NFTs by buying low and selling high. As of the early morning of January 25, its Ethereum wallet already had ETH worth more than US$740,000.

The attacker was able to successfully "snipe" other people's NFTs because OpenSea's NFT "sales list" cancellation function was ignored. On this world's largest NFT trading platform, NFT order makers must pay Gas to cancel the sales list in order to cancel their orders. Otherwise, even if the order is not displayed on the front-end UI, it is still valid on the chain and can still be purchased on other platforms at the original order price.

DeFi developer yakirrotem explained that the attacker may have saved the user's on-chain signature list when they were selling earlier. This list is publicly visible and can be captured by the API to purchase the user's NFT at an expired low price. Once this bug is exploited by the attacker, other people's NFTs will be pocketed and then resold.

As of press time, OpenSea has not publicly responded to user losses and front-end issues with the "sales list".

User NFTs were bought at a low price and sold at a high price by attackers at an expired price

"A bug on OpenSea allowed people to buy Ape at the old price. This Ape was purchased for 0.77 ETH and resold 40 minutes later for 84.2 ETH." On January 24, multiple similar tweets reminded OpenSea users to transfer their NFT assets as soon as possible to wallets that had never signed NFT sales on OpenSea.

An Ape NFT was bought low at 0.77 ETH and then sold high

The NFTs that were bought at low prices and resold at high prices not only involved the Bore Ape Yacht Club project, but also included NFT projects such as Mutant Ape Yacht Club, CyberKongz and Cool Cats.

"Guys, why is my Ape only selling for 0.77 (ETH)?" Twitter user T_BALLER6 is one of the victims. He tweeted that he did not sell the Ape at 0.77 ETH recently.

Another NFT collector named ToastVirtual also said that he woke up on Monday to find that his Ape was sold at the old order price of 6.66 ETH, "This Ape was not transferred between wallets."

From the OpenSea transaction record page, it can be seen that the account that bought low and sold high is named jpegdegenlove. The account kept buying multiple well-known NFTs at old prices within a few hours, and then resold them at high prices. The relevant Twitter of blockchain security agency Peckshield announced the attacker's address and reminded that OpenSea had a front-end problem, and the attacker obtained about 332 ETH. According to the ETH quotation of $2,256 at the time of the incident, these 332 ETH are equivalent to about $740,000.

Why are these collectors’ NFTs being bought at expired, low prices?

A Twitter user attached a picture and answered a question saying that there is a problem between OpenSea and another NFT trading platform Rarible. "If you do not delete the NFT order correctly on OpenSea, this problem will be exploited."

The Q&A picture shows that if a seller lists an NFT item for sale and later decides to delete the order, the correct way is to pay a Gas fee to cancel it. If the user simply transfers the NFT to a different Ethereum address in order to save Gas fees, even though the order is not displayed on OpenSea's front-end, it can still be purchased on Rarible after it is sent back to the original address.

In fact, this "front-end problem" of OpenSea has already appeared on its help center page in the form of answers to user questions. In the question "How do I cancel or lower the price of an NFT listing?", OpenSea replied, "Please note that transferring an NFT does not automatically cancel the listing. You must cancel the listing before transferring the NFT to a new wallet. This ensures that the listing cannot be implemented through OpenSea... Canceling the listing requires paying a gas fee so that other users cannot use the NFT."

It seems that the NFTs bought at low prices are likely to be exploited by attackers because some users did not cancel their orders.

How to avoid "uncancelled orders" omissions in OpenSea?

The "loophole" left by the cancellation of OpenSea's "sales list" function was disclosed at the end of December last year. This large-scale outbreak caused user assets to be damaged.

A DeFi developer and NFT collector named “yakirrotem” on Twitter therefore described OpenSea as an “outdated product” in the NFT world. “It is slow, has a bad user experience, and uses old smart contract code, which makes you pay more gas fees. It is of no benefit to traders, and they also have dangerous bugs.”

Yakirrotem listed the operation mode of OpenSea, saying that in order to save gas fees, the platform adopts the method of presenting prices off-chain and operating signature transactions on-chain to run the entire system. "When you list an item for sale (or bid), the data you sign proves that you are willing to sell your NFT at this price, and the signature is saved in OpenSea's off-chain database. When someone wants to buy your NFT, he will send it to his smart contract, but the signature and sales information of this step are verified on the chain before the transfer occurs."

Yakirrotem emphasized that when a user cancels a list, he will be asked to execute a transaction. "You may ask 'why'. The reason is that (if you don't do this) someone may save your previous signature list because it is public, such as the Rarible platform or even the OS API (can be captured) and use it later. Even if your pending order is deleted from the UI page, in fact, only the on-chain transaction will save the fact that you canceled the transaction. Even if someone tries to use the data you signed before, the on-chain verification will reject the transaction."

Additionally, transferring a previously listed NFT back to the wallet that listed it would not prevent this error from happening, and “relisting won’t help you unless you make sure to cancel all previous listings.”

NFT collectors illustrate OpenSea front-end issues

"Sites like Rarible save old listings, and now an attacker can use this information to execute a sale because OpenSea's smart contract believes that the sale is valid." Yakirrotem pointed out that another big problem with OpenSea is that they don't have a one-time order book, "So if you create an order 6 months ago and then create another order 4 months ago, even if you cancel it 1 day later, the first order is still valid, although it is not visible on the UI page."

After this "vulnerability" caused the user's NFT to be "sniped" by the attacker, some people believed that it was caused by the user's improper custody of the NFT. In yakirrotem's view, these problems of OpenSea are not unsolvable, because another recently emerging NFT trading platform LooksRare supports users to cancel all orders at once, "even if you somehow forget to take the list, this can ensure that you (your assets) are safer."

How can I check whether my old NFT orders have been cancelled?

Yakirrotem said that users can log in to the Rarible platform to check if the previous listing is still there. "However, if you want 100% security, then transfer your NFT to another wallet that has never been listed on OpenSea."