In light of mounting criticism and complaints from the crypto community, one of the largest NFT marketplaces, OpenSea, has reimbursed about $1.8 million to users who were affected by the recent hack on its platform.
On January 24, 2022, some OpenSea users saw their valuable NFTs sold at rock-bottom prices by hackers who leveraged a flaw on the OpenSea listing process to purchase those NFTs at almost 98% discounts and subsequently resell them for much higher.
The OpenSea “Bug”
According to a report by the blockchain analytics firm Elliptic, the OpenSea exploit was the result of a flaw in how the platform handles asset listings on its platform.
OpenSea is built on the Ethereum blockchain, which is notorious for its outrageous gas fees. Therefore, to cut down on the amount spent on transactions, the NFT marketplace handles most of its functions off-chain until those transactions need to be sent to the blockchain for settlement.
To list an asset, NFT vendors on the platform will have to sign off-chain data confirming the amount they wish to sell their NFTs. However, the issue arises when vendors decide to send a message to the blockchain to cancel the initial listing.
To avoid paying gas fees, the vendors simply transfer the NFT to another wallet, which makes the initial offer invalid as the NFT is no longer on OpenSea.
Things get more complicated when the vendors transfer the assets back to their OpenSea wallets, perhaps when the NFT’s value has risen significantly over time. This is because the initial listing was not erased from the blockchain and anyone could buy the NFT at the initial price, which was exactly what the perpetrators did.
They allegedly discovered this design flaw in the OpenSea system and executed their attack using a bot to scan the network for NFTs with low floor pending orders and purchased them.
Elliptic revealed that it has identified at least five attackers who were involved in the exploit, including the user jpegdegenlove who made at least 340 Ether worth over $800,000 at current prices from the exploit.
OpenSea Makes Amends
Following the exploit, OpenSea launched a new listing manager on the platform, which allows users to effectively review both active and inactive listings and a one-click option to cancel inactive ones.
The NFT marketplace has also been reaching out to the affected users and reimbursing them. Speaking to Bloomberg, one victim of the attack, Robert Garcia, said his Mutant Ape NFT was sold for 4.7 Ether (about $11,300) on Sunday.
Garcia noted that he immediately emailed OpenSea after the unintentional sale, and received a response from them on Thursday that offered him a refund of 13.8 Ether worth over $35,000 at current prices.