Scammers Exploit OpenSea Flaw to Buy NFTs at Rock-Bottom Prices

Scammers appear to be leveraging an issue with NFT marketplace OpenSea to purchase valuable NFTs at a much lower price than their current listing. 

Multiple researchers and developers have laid out the ongoing issue, with some indicating that individual NFTs worth hundreds of thousands of dollars have been sourced using the design flaw.

The issue came to light when NFT collector "TBALLER" tweeted that their valuable Bored Ape #9991 sold for the bargain-bin price of .77 ETH, or $1,775 early on Monday morning. "Yooo guys! Idk what just happened by why did my ape just sell for .77?????" they tweeted. Almost immediately, the buyer, who goes by "jpegdegenlove," resold the ape NFT for 84.2 ETH, or nearly $200,000. 

"I just lost an ape guys…. I’m crying…. How did this just happen????" TBALLER tweeted, adding 15 crying emojis.

According to cryptocurrency analysis firm Elliptic, since Monday morning NFTs with a total market value of just over $1 million have been purchased using the flaw by at least three attackers. “One attacker today paid a total of $133,000 for seven NFTs by exploiting this flaw—before quickly selling them on for $934,000,” a blog post on Elliptic’s website reads. 

The issue appears to revolve around how OpenSea handles item listings. Doing anything on the Ethereum blockchain, such as transferring an NFT, costs "gas," and so OpenSea conducts most of its functions internally, or "off-chain," until they need to be sent to the blockchain for settlement. When listing an NFT for sale on OpenSea, the vendor is signing off-chain data that confirms they are willing to sell the item at that specific price, Rotem Yakir, a DeFi developer explained on Twitter. 

To cancel a listing, however, a transaction to the blockchain must be sent and finalized, or else previous listing data could be usable in a sale. If you simply transferred an NFT to another wallet you control and back, without actually sending a cancellation message to the blockchain, then the original listing price won’t be cancelled. OpenSea explains this all itself in a guide to new users.

This appears to be what happened with TBALLER's NFTs and others that were purchased for cheap by jpegdegenlover and other exploiters. By interacting directly with the OpenSea API or using a third party marketplace like Rarible, they were able to call an earlier listing price, and ask the marketplace to honour it, letting them buy the NFT at a steep discount. According to Elliptic, targeted NFTs have come from the Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats, and Cyberkongz collections. 

OpenSea told Motherboard in a statement that “Since this issue was identified, we’ve taken it incredibly seriously and worked to ship product solutions for the community. This is not an exploit or a bug—it’s an issue that arises because of the nature of the blockchain. OpenSea cannot cancel listings on behalf of users. Instead, users must cancel their own listings. It’s OpenSea’s priority to make users aware of all their listings, and we’re working on a number of product improvements to address this, including a dashboard where they can easily see and cancel listings. In addition, we have been actively reaching out to and reimbursing affected users. We have not communicated broadly about this issue because we did not want to risk bringing it to the attention of bad actors who could abuse it at scale before we had mitigations in place.”

TBALLER told Motherboard they have not heard from OpenSea.

It's notable that this issue occured because of how OpenSea, a centralized service working with decentralized tokens, is deliberately designed. It would be difficult to call this a hack, or even a bug. OpenSea tells users this is how its service functions, which has led to these scams. In this case OpenSea is a janky marketplace, and if users aren't careful to follow best practices they can open themselves up to being exploited by more savvy users. 

Update: This piece has been updated to include comment from TBALLER and OpenSea.