OpenSea is fixing the bug that caused NFT listings to remain on the blockchain, even though users changed the wallets they were in.
NFT marketplace OpenSea is not resting on its laurels. Following the recent exploitation of a user interface issue that saw some users lose vast sums of money, OpenSea will roll out a new system to help users remove old NFT sale offers.
The changes that will be rolled out will ensure that old listings expire. They will allow users to cancel all unfulfilled contracts without incurring high gas fees. Multiple delistings could be executed for very low gas fees. This, and a change that will make signatures clearer to make smart contract terms easier to understand, will be rolled out in the next 14 days. Users will be invited to move their accounts to the newer system.
Wallet workaround didn’t remove NFT from blockchain
Previously, users who wanted to list their NFTs at a newer, higher price didn’t delist them but transferred them into a new wallet and then back to the old wallet. Delisting them would cost tens to hundreds of ETH in gas fees, which listers were unwilling to pay. That’s the reason the wallet workaround was used. Some attackers, of which there were at least five, took the opportunity to “purchase” NFTs at the previously listed prices, which were far below the current price, and resell them at a profit. The wallet workaround removed the listing from OpenSea’s front-end. However, the listing stayed valid on the Ethereum blockchain and could apparently be accessed through an Application Programming Interface (API).
Early postmortem of the attack
OpenSea almost immediately vowed to refund affected users. They have refunded 750 ETH to over 130 wallet items. OpenSea also provided a “listings” tab on user profiles that enables them to see both active and inactive listings.
According to blockchain security firm Elliptic, there were at least five attackers. One of them, “jpegdegenglove,” paid $133,000 for seven NFTs and sold them for $934,000. Their funds were passed through TornadoCash, a tumbler that makes it difficult to trace the origin of funds on the blockchain. It masks the link between the source and destination of a transaction. Jpegdegenlove sent two victims compensations of 20 ETH and 13 ETH.
Another attacker bought a Mutant Ape Yacht Club NFT for $10,600 and sold it later for $34,800. The NFT collections affected by the API exploit were Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats, and Cyberkongz NFTs.
What do you think about this subject? Write to us and tell us!
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.