Elliptic Finds Bugs And Cheats In OpenSea, Many “Apes” Bought At Old Prices

Bored Ape Yacht Club, provides NFT cartoon apes which are currently a trend. (photo; BAYC)

JAKARTA - Blockchain analytics firm Elliptic said on Monday, January 24 that they discovered a bug in today's largest NFT marketplace, OpenSea. The bug allows attackers (hackers) to purchase at least US$1 million NFT across several different wallets at significantly below market rates.

A non-fungible token (NFT) is a form of crypto asset, which records the ownership status of digital files on the blockchain. OpenSea is the biggest market for speculators and enthusiasts to trade their NFTs, with sales volume worth US$4.8 billion so far in January.

But a flaw in the marketplace allows users to buy certain NFTs at prices that have been listed in the past, without the owners realizing that their goods are still being sold. OpenSea did not immediately respond to a request for comment.

"The exploitation appears to stem from the fact that previously it was possible to re-list NFTs at new prices, without canceling the previous listings," said Tom Robinson, chief scientist and co-founder of Elliptic.

"Those old lists are now being used to buy NFT at prices that were set in the past - often well below current market prices," he added as quoted by Reuters.

For example, the cartoon ape NFT from the Bored Ape Yacht Club collection, Bored Ape #9991, was purchased for 0.77 cryptocurrency ether (about US$1,747 or IDR 25.1 million) last Monday, despite the fact that such an NFT usually costs hundreds of thousands of dollars.

The Bored Ape Yacht Club is a set of 10,000 NFT algorithmically generated cartoon apes created by the US-based company Yuga Labs.

About 20 minutes after Bored Ape #9991 was purchased for 0.77 ether, then the collection sold for 84.2 ether (approximately $189,040), according to blockchain records spotted on OpenSea. This method, gave the buyer a profit of more than 187,000 US dollars.

The original owners of NFT, who identified themselves on Twitter as "TBALLER.eth" (@T_BALLER6), tweeted their surprise at the transaction, which they said they did not authorize:

"Yooo guys! I don't know what just happened, why is the monkey only selling for 0.77?????"

"I didn't list me ape at all... Now I see the DM is selling for 0.77??????? Wtf??????"

Robinson of Elliptic said he had identified eight NFTs stolen this way so far, from eight different wallets, by the three attackers' wallets.

"One person paid a total of $133,000 for the seven NFTs exploiting the bug, before quickly selling them for $934,000," Robinson said.

He noted that while crypto wallets are typically anonymous, attackers can be identified if they use an exchange to cash out into fiat currency.

As celebrities, investors, and top brands flock to the NFT market, where the sales volume and prices of some sought-after NFTs have seen astonishing growth, eating -- the OpenSea bug might give buyers some reason to quit.

OpenSea was founded in 2017 and was recently valued at $13.3 billion in its latest venture funding investment.

Elliptical data shows that since 2020, $2 billion has been stolen from decentralized finance (DeFi) users via hacks.

"It's not common to see exploits of entire markets. We see individual users hacked and their NFT stolen, for example through phishing attacks, but it's not uncommon to see something that could potentially affect the entire market," added Robinson.