In a recent listing bug on OpenSea, attackers stole at least $1.3 million worth of different NFTs. As per the reports by Elliptic, at least five attackers used this vulnerability to acquire at least twelve NFTs for far less than their market worth. One of the exploiters goes by the username of “jpegdegenlove”. The compromised NFTs include Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz.
After selling the NFTs, the attackers utilized Tornado Cash to conceal the ETH from being tracked. Jpegdegenlove also appears to have partly paid two of its victims – paying 20 ETH ($45,000) to TBALLER and 13 ETH ($30,000) to Vault327.
DeFi developer Rotem Yakir tweeted with a report explaining the OpenSea loophole in detail. In response to the series of reports, OpenSea claimed that it is not a bug or an exploit. A victim to the bug went out and tweeted the incident:
He further added that OpenSea should be held responsible and needs to refund those affected.
How did OpenSea respond?
According to recent announcements, OpenSea returned the affected users with $1.8 million. They tweeted out a new feature that shows a tab of active and inactive listings. They also announced a $300 million Series C investment round earlier this month, bringing its worth to at least $13.3 billion.
According to OpenSeas, the problem might develop each time a user transfers an NFT to a different wallet without removing current listings since the transaction is broadcasted to the blockchain. They added that they were in the midst of lowering its default listing length to 1 month so that if an NFT is deposited back into a wallet after one month, the listing would have expired.
They also want to alert consumers that they have a higher-priced listing available when they drop the price for the same item. NFTs are the recent spotlight of attackers and hackers. With its growing popularity, it’s not surprising how these exploits happen. Users have to ensure the safety of their own collectables to protect against further attacks.