Hacker abuses OpenSea to buy NFTs at older, cheaper prices
A threat actor has exploited a vulnerability in the backend of OpenSea, the internet's largest NFT marketplace, to buy products at previous (lower) prices and then resell them at higher values, defrauding legitimate asset owners.
At the time of writing, the attacker has made at least 332 Ether ($745,000) by exploiting this vulnerability, according to blockchain security firm PeckShield.
The issue was initially discovered by Rotem Yakir, a software developer at DeFi platform Orbs. Yakir found that while users could put up NFTs for sale on OpenSea and then later cancel listings and update them with a new price, the previous NFT listing with the old price could still be accessed through the OpenSea API, even if it had been removed from the main web portal.
In a Twitter thread, Yakir blamed the issue on OpenSea's decision to manage some of its listings using a dual on-chain and off-chain setup, which left some gaps in how some of its listings were being treated.
** Urgent ** There is an @opensea devastating bug that will keep old listing and allow exploiters to buy the NFT using their API. Immediate action is to move your NFT to a new wallet or wallet without any previous listing. I will add a about it very soon— Rotem Yakir (@yakirrotem) January 24, 2022
Yakir's original findings were also confirmed earlier today by Tal Be'ery, CTO at cryptocurrency wallet app ZenGo. According to Be'ery, the attacker even managed to earn a giant 100 Ether ($225,000) in profit just from one single NFT item alone.
3/ immediately afterwards the attacker sells for ~130 ETH for an easy ~100 ETH gain pic.twitter.com/dTyIrwUprL— Tal Be'ery (@TalBeerySec) January 24, 2022
An OpenSea spokesperson has not returned a request for comment, and it's currently unclear if the platform has addressed the issue.
Yakir recommended that all OpenSea users who updated prices on their listings move the NFTs in question to a new wallet, which would prevent the item from being sold to the attacker from under their noses.
The attacker's Ether address is currently being tracked by security firms.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.