Hacker abuses OpenSea to buy NFTs at older, cheaper prices
A threat actor has exploited a vulnerability in the backend of OpenSea, the internet’s largest NFT marketplace, to buy products at previous (lower) prices and then resell them at higher values, defrauding legitimate asset owners.
At the time of writing, the attacker has made at least 332 Ether ($745,000) by exploiting this vulnerability, according to blockchain security firm PeckShield.
The issue was initially discovered by Rotem Yakir, a software developer at DeFi platform Orbs. Yakir found that while users could put up NFTs for sale on OpenSea and then later cancel listings and update them with a new price, the previous NFT listing with the old price could still be accessed through the OpenSea API, even if it had been removed from the main web portal.
In a Twitter thread, Yakir blamed the issue on OpenSea’s decision to manage some of its listings using a dual on-chain and off-chain setup, which left some gaps in how some of its listings were being treated.
Yakir’s original findings were also confirmed earlier today by Tal Be’ery, CTO at cryptocurrency wallet app ZenGo. According to Be’ery, the attacker even managed to earn a giant 100 Ether ($225,000) in profit just from one single NFT item alone.
An OpenSea spokesperson has not returned a request for comment, and it’s currently unclear if the platform has addressed the issue.
Yakir recommended that all OpenSea users who updated prices on their listings move the NFTs in question to a new wallet, which would prevent the item from being sold to the attacker from under their noses.
The attacker’s Ether address is currently being tracked by security firms.