The NFT space has seen yet another case of someone exploiting a bug on OpenSea to buy high-priced NFTs at prices way under the floor. This time around, a scammer was able to make nearly $1 million buying and selling wrongly listed NFTs in just 90 minutes. Let’s break down what happened, the loophole on OpenSea that allowed it to happen, and the best ways to prevent it from happening to your NFTs.
The latest OpenSea bug exploit
Twitter user and blockchain investigator @NFTherder was one of the people who broke down what happened in the aftermath.
Firstly the scammer, who goes by “jpegdegenlove”, created a new ETH wallet and put 10 ETH in it. They used this wallet to buy a Cool Cat NFT for 3 ETH and a Bored Ape Yacht Club NFT for 0.77 ETH. For reference, the Cool Cats floor is 12.64 ETH at the moment, while the BAYC floor is 93 ETH.
Next, the bug exploiter flipped the Cool Cat for 11 ETH, and the BAYC NFT for 84.2 ETH. They then continued to buy and flip high-value, blue-chip NFTs on OpenSea for about 90 minutes, finishing with about 394 ETH. At the current value of ETH, this would be worth over $900,000. A jaw-dropping amount of money, all stemming from exploiting an OpenSea bug that some unfortunate NFT owners weren’t aware of.
What exactly is this loophole on OpenSea?
As NFT Herder and many others have since pointed out, this OpenSea bug concerns the improper delisting of NFTs that people have put up for sale.
To explain, delisting an NFT on OpenSea requires the NFT owner to pay a gas fee. This is because you need to actually sign an order onto the blockchain to properly cancel the initial approval to sell the NFT. However, some NFT owners had found what they thought was a workaround to avoid paying the gas fee.
Indeed, people discovered that transferring an NFT to another wallet took the listing off of OpenSea. They would then transfer the NFT back to their original wallet and no listing would be visible on OpenSea.
The big problem with this is that it does not cancel the initial authorization that the owner signed to first list their NFT. In other words, the sale is technically still active. So if the NFT owner moves the NFT back to the wallet that they first listed it from, someone could swipe it. All they would need is some tech know-how and the original list price.
The bug is a result of OpenSea making the selling process easier
The reasons for this have to do with how OpenSea operates.
Without getting too technical, OpenSea works in a way to prevent people listing their NFTs from having to pay gas fees multiple times for a single transaction. It does this by having some of the processes happen off the blockchain. Namely, the part where users sign with their wallet agreeing to sell their NFT at a given price.
There’s a very simple way to think about this. That is, it is possible to cancel a listing on OpenSea without actually canceling it on the blockchain. This also goes for Rarible and other NFT marketplaces.
How to make sure it doesn’t happen to you
It’s important to realize that this bug came about because of some people not wanting to pay gas fees on OpenSea. The easiest way to prevent this from happening is to pay the gas fee for properly delisting a sale.
To be sure, nobody likes paying gas fees. Even so, this is the best way to make sure that you are canceling your listing on the blockchain. Not just on the database of OpenSea or whatever NFT marketplace you’re using. People have also suggested that this bug isn’t a problem if you never move the NFT back into the original wallet. So perhaps that’s an option for people who just don’t want to deal with gas.
What can OpenSea and other platforms do to fix the bug?
As noted above, it’s difficult to blame OpenSea for this bug that people are exploiting. After all, these exploits are happening where people have not delisted their NFTs properly.
On the other hand, it’s not just people avoiding gas fees that are losing their NFTs this way. Some people simply move their NFTs, to a hardware wallet for example, and completely forget about their original listings once they no longer show up on OpenSea.
Either way, it’s no surprise that people are angry at OpenSea for the loophole and are demanding a fix. Not to mention that OpenSea is already feeling some pressure with the recent launch of its biggest competitor yet. For its part, OpenSea tweeted a video showing off a new feature aimed at preventing this bug exploit.
It tweeted, “We can’t cancel these orders for listers, so to fix the problem, we launched a new listings manager today.”
The listings manager includes the listing price and expiration. As well as the difference between the listing price and the floor price of the NFT’s collection. The floor price comparison in particular is meant to help holders quickly notice if their NFT is listed by mistake. Of course, all these old prices were set when these blue-chip NFTs were far less valuable.
Rarible launched a similar feature it calls its “Order Manager” a couple of weeks ago. There are also services like Revoke that people can use to remove all permissions for external sites connected to their ENS wallet.
Overall, there are many lessons to take from these episodes. Security is a major concern that the NFT space is always trying to address. Whether that is protecting the community from scams, or sharing tips on how to store NFTs safely.