OpenSea Old Contracts Exploited: Difference between revisions
No edit summary |
(Another 30 minutes complete. Prevention added and much more research.) |
||
| Line 1: | Line 1: | ||
{{ | {{Case Study Under Construction}}[[File:Opensea.jpg|thumb|OpenSea]]OpenSea is one of the largest NFT marketplaces online. If an order is placed on the blockchain, it's available for future use unless cancelled or the NFT is no longer in the wallet which the offer applies to. If an NFT is moved from one wallet to another and back again, then OpenSea will fail to display the open order, which can still be executed. Multiple users exploited up to $1.1m worth of NFTs this way, through offers that the NFT owners erroneously thought had been cancelled. | ||
== About OpenSea == | |||
<ref name="theverge2-6997" /> | |||
"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace." | "The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace." | ||
| Line 15: | Line 12: | ||
"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain." | "Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain." | ||
== The Reality == | |||
"There are [some] straightforward security issues [on OpenSea], which have become newly urgent given the huge quantities of money on their platform." | "There are [some] straightforward security issues [on OpenSea], which have become newly urgent given the huge quantities of money on their platform." | ||
| Line 27: | Line 25: | ||
"OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API." | "OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API." | ||
A bug in the OpenSea NFT marketplace allowed hackers to purchase rare NFTs at significantly lower prices, resulting in substantial losses for the original owners and substantial profits for the attackers. The bug had been present for weeks but gained more attention recently, with at least eight instances of exploitation resulting in the theft of NFTs worth over $1 million. One example involved the purchase of a Bored Ape Yacht Club NFT for 0.77 ETH and its quick resale for 84.2 ETH, generating a profit of over $190,000 for the attacker. The bug was caused by a mismatch between NFT smart contracts and the information displayed by OpenSea's interface, allowing attackers to take advantage of old contracts that still existed on the blockchain. Users had previously used a workaround to re-list NFTs for higher prices by transferring them to another wallet, removing the listing from OpenSea's display but keeping it active on the blockchain. The bug was first discovered in December 2021, and it is unclear how OpenSea is addressing the issue<ref name="theverge-7214" />. | |||
== What Happened == | |||
OpenSea orders continued to be available indefinitely, and did not display on the interface. After the price of several NFTs rose significantly, multiple actors took advantage of the old orders to purchase NFTs at really cheap prices. | |||
{| class="wikitable" | |||
|+Key Event Timeline - OpenSea Old Contracts Exploited | |||
!Date | |||
!Event | |||
!Description | |||
|- | |||
|January 12th, 2022 8:01:00 PM MST | |||
|GinoTheGhost OpenSea Bug | |||
|The Twitter user GinoTheGhost reported an OpenSea bug that allows people to exploit old listings and purchase NFTs unexpectedly<ref name="ginotheghosttwitter-7386" />. The bug occurs when sellers transfer their NFTs to another wallet to cancel listings, but the listings remain active on platforms like Rarible. As a result, NFTs are being sold below their floor prices, and users are unaware of how it happened. In the FLUF_World community, a valuable female VIP lanyard NFT was sold for a significantly lower price to an exploiter. The situation was resolved when the NFT was relisted and purchased back by the rightful owner. However, even after returning the NFT, it was immediately relisted at a lower price due to an old active listing. To avoid such issues, users are advised to check the "active" and "inactive" tabs on Rarible and revoke permissions for collections they are concerned about on revoke.cash. The incident caused frustration and financial losses for many users, but the FLUF_World community came together to support the affected individual<ref name="ginotheghosttwitter-7386" />. | |||
|- | |||
|January 24th, 2022 1:26:00 AM MST | |||
|Main Event | |||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |||
|- | |||
|January 24th, 2022 10:20:00 AM MST | |||
|The Verge Article Published | |||
|The Verge reports that a bug in the OpenSea NFT marketplace allowed hackers to purchase rare NFTs at significantly lower prices, resulting in substantial losses for the original owners and substantial profits for the attackers. The bug had been present for weeks but gained more attention recently, with at least eight instances of exploitation resulting in the theft of NFTs worth over $1 million. One example involved the purchase of a Bored Ape Yacht Club NFT for 0.77 ETH and its quick resale for 84.2 ETH, generating a profit of over $190,000 for the attacker. The bug was caused by a mismatch between NFT smart contracts and the information displayed by OpenSea's interface, allowing attackers to take advantage of old contracts that still existed on the blockchain. Users had previously used a workaround to re-list NFTs for higher prices by transferring them to another wallet, removing the listing from OpenSea's display but keeping it active on the blockchain. The bug was first discovered in December 2021, and it is unclear how OpenSea is addressing the issue<ref name="theverge-7214" />. | |||
|} | |||
== Technical Details == | |||
"According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application." | |||
" | "OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API." | ||
=== Twitter Thread By GinoTheGhost === | |||
GinoTheGhost provided one of the earliest public warnings of the OpenSea exploit<ref name="ginotheghosttwitter-7386" />.<blockquote>IMPORTANT THREAD! | |||
please RT to spread the word. | |||
there’s an OpenSea bug (shocking, i know) in their contract that allows people to exploit old listings and buy NFTs right from under you. here’s a story of what happened today & how you can make sure it doesn’t happen to you: | |||
canceling listings can be expensive. it costs gas to cancel EACH listing (every time you lower the price it’s a separate listing). so what many people do is transfer the NFT to another wallet to cancel the listing. this used to work. used to. | |||
suddenly, people have been reporting their NFTs were sold below floor and they don’t even know how. what’s happening is, listings from as long as up to 6 months are still active on @rarible, even OS in some cases, when you transfer them back to your wallet. | |||
today in the @FLUF_World community, a female VIP lanyard (worth at least 10eth) was sold for 2.7eth to someone exploiting the listing. fortunately, when it was re-listed it for 7eth, i sniped it instantly to make sure it could get back into the hands of the rightful owner. | |||
after working out a deal to get the owner their Fluf back, i transferred it back to him. well guess what, IT IMMEDIATELY RE-LISTED FOR 3ETH from an old listing that was still somehow active. fortunately, @maxpoker247 sniped it and saved the day (again). what a [circus]. | |||
" | so what can you do to avoid this happening? step 1: go to <nowiki>https://orders.rarible.com</nowiki> and check the "active" tab. make sure nothing is listed. then check the "Inactive" tab— these are orders which weren’t properly cancelled or executed. | ||
step 2: go to <nowiki>https://revoke.cash</nowiki> and connect your wallet, change the setting from ERC20 to ERC721, and you’ll see all the collections you have granted permissions. simply revoke the permissions for any collection you’re worried about. | |||
today was exhausting. i wasted 6 hours of my life trying to sort this out with the original owner & regain liquidity, only for THE SAME EXPLOIT to almost [mess] the whole thing up anyway. & this result was a DREAM SCENARIO. countless people were [impact]ed by this with no recourse. | |||
big thank you to the @FLUF_World community for stepping up today. so many people donated thousands of dollars to help our friend who [lost funds] by a platform that generates millions of dollars in revenue a day.</blockquote> | |||
== Total Amount Lost == | |||
The total amount lost has been estimated at $1,100,000 USD. | |||
== Immediate Reactions == | |||
TBD - Sources may be missing for this text. Find and add those sources. | |||
"** Urgent ** There is an @opensea devastating bug that will keep old listing and allow exploiters to buy the NFT using their API. Immediate action is to move your NFT to a new wallet or wallet without any previous listing. I will add a [case] about it very soon." | |||
* | |||
"The way OS works, is by having their marketplace conduct off-chain to save gas. When you list an item for sale (or bid) you are signing data that validate that you are willing to sell your NFT at this price." "The signature is saved in @opensea's DB off-chain and when someone wants to buy your NFT, they will send to their smart contract your previously signed data where the signature and sale information (such as expiration & price) are validated on-chain before making the transfer." | |||
"When you cancel a listing, you are require to preform a transaction, why you might ask? the reason is that someone might save your signed listing (which are public or even their API) and use it later, even if the listing got removed from the UI." "So the transaction on-chain will save the fact that you canceled this sale on their smart contract and even if someone will try to use your signed data from before, the on-chain validation will reject the sale." | |||
"So what is this bug and how to avoid it? the bug stems from the fact that previously you could re-list an NFT without canceling it (which you can't now) and all the previous listing are not canceled on-chain, this is why re-listing will NOT work." "Furthermore, transferring a previously listed NFT to back to the wallet that listed it, will not prevent you from this bug. Re-list will not help you too (unless you made sure you cancelled all previous listing)." | |||
"And as we shown before sites save old listing and now exploiters can use this information to perform the sale since @opensea smart contract will believe this sale is valid! (which is kinda is)." "Another big problem that @opensea has, is that they don't have order nonce, so even if you made a listing 6 months ago then made another one 4 months ago & canceled it after 1 day, the first list is still valid and may not be visible on the UI." | |||
"@LooksRareNFT for example, has the ability to cancel all orders using a nonce so even if you somehow forgotten to cancel a listing, this can make sure you are safer." "To sum up, previously, you could have re-list an NFT without canceling the previous list. Sometimes but not always, If you cancel your new listing, the old one will not appear on the UI but is still valid." "The two options are to cancel the listing directly or to send it to another wallet without transferring it back until the original listing expires." "Generally, I'd say simplest is to just cancel." | |||
"NFTs with a market value of $1.1 million have been purchased in this way." "Elliptic has identified at least five attackers who have exploited this loophole to purchase at least twelve NFTs for much less than their market value. These include Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz NFTs." | |||
"For example at around 7am on January 24, a Bored Ape Yacht Club NFT #9991 was purchased for 0.77 ETH ($1,800). This family of NFTs currently sell for at least $198,000. Twenty minutes later the hacker sold the NFT for 84.2 ETH ($196,000) – realizing a profit of $194,000." | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
"One attacker, going by the pseudonym "jpegdegenlove" paid a total of $133,000 for seven NFTs – before quickly selling them on for $934,000 in ether. Five hours later this ether was sent through Tornado Cash, a "mixing" service that is used to prevent blockchain tracing of funds." | |||
"Jpegdegenlove also seems to have partially compensated two of their victims - sending 20 ETH ($45,000) to TBALLER and 13 ETH ($30,000) to Vault327." | |||
"Another attacker purchased a single Mutant Ape Yacht Club NFT for $10,600, before selling it on five hours later for $34,800." | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
The total amount recovered has been estimated at $75,000 USD. | The total amount recovered has been estimated at $75,000 USD. | ||
== Ongoing Developments == | == Ongoing Developments == | ||
"It’s unclear whether OpenSea is treating the situation as an open security flaw or a result of user error. The company did not respond to a request for comment by time of publication." | |||
== Individual Prevention Policies == | == Individual Prevention Policies == | ||
{{Prevention:Individuals: | Individuals can avoid this risk by understanding the transactions they are making. The risk can be reduced by removing assets from OpenSea whenever not actively listed, and storing most funds offline. | ||
{{Prevention:Individuals:Double Check Transactions}} | |||
{{Prevention:Individuals:Safe Smart Contract Usage}} | |||
{{Prevention:Individuals:Store Funds Offline}} | |||
{{Prevention:Individuals:End}} | {{Prevention:Individuals:End}} | ||
== Platform Prevention Policies == | == Platform Prevention Policies == | ||
{{Prevention:Platforms: | A third party validation may uncover such issues in the OpenSea platform where valid blockchain listings are not showing up, or identify this possibility that listings may not be cancelled. Having an established industry insurance fund is much more effective than depending on donations from random members of the community. | ||
{{Prevention:Platforms:Regular Audit Procedures}} | |||
{{Prevention:Platforms:Establish Industry Insurance Fund}} | |||
{{Prevention:Platforms:End}} | {{Prevention:Platforms:End}} | ||
== Regulatory Prevention Policies == | == Regulatory Prevention Policies == | ||
{{Prevention:Regulators: | A third party validation may uncover such issues in the OpenSea platform where valid blockchain listings are not showing up, or identify this possibility that listings may not be cancelled. Having an established industry insurance fund is much more effective than depending on donations from random members of the community. | ||
{{Prevention:Regulators:Platform Security Assessments}} | |||
{{Prevention:Regulators:Establish Industry Insurance Fund}} | |||
{{Prevention:Regulators:End}} | {{Prevention:Regulators:End}} | ||
== References == | == References == | ||
<references><ref name="theverge2-6997">[https://www.theverge.com/2022/2/2/22914081/open-sea-nft-marketplace-web3-fundraising-finzer-a16z How OpenSea took over the NFT trade - The Verge] (Mar 10, 2022)</ref> | <references> | ||
<ref name="theverge2-6997">[https://www.theverge.com/2022/2/2/22914081/open-sea-nft-marketplace-web3-fundraising-finzer-a16z How OpenSea took over the NFT trade - The Verge] (Mar 10, 2022)</ref> | |||
<ref name="theverge-7214">[https://www.theverge.com/2022/1/24/22899125/opensea-bug-bored-ape-nfts-smart-contract-listings-cancellation An OpenSea bug let attackers snatch Apes from owners at six-figure discounts - The Verge] (Mar 15, 2022)</ref> | <ref name="theverge-7214">[https://www.theverge.com/2022/1/24/22899125/opensea-bug-bored-ape-nfts-smart-contract-listings-cancellation An OpenSea bug let attackers snatch Apes from owners at six-figure discounts - The Verge] (Mar 15, 2022)</ref> | ||
<ref name="ginotheghosttwitter-7386">[https://twitter.com/GinoTheGhost/status/1481461462350532609 GinoTheGhost - "there’s an OpenSea bug (shocking, i know) in their contract that allows people to exploit old listings and buy NFTs right from under you. here’s a story of what happened today & how you can make sure it doesn’t happen to you" - Twitter] (Mar 21, 2022)</ref> | |||
<ref name="ginotheghosttwitter-7386">[https://twitter.com/GinoTheGhost/status/1481461462350532609 | </references> | ||
Revision as of 20:03, 16 July 2023
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
OpenSea is one of the largest NFT marketplaces online. If an order is placed on the blockchain, it's available for future use unless cancelled or the NFT is no longer in the wallet which the offer applies to. If an NFT is moved from one wallet to another and back again, then OpenSea will fail to display the open order, which can still be executed. Multiple users exploited up to $1.1m worth of NFTs this way, through offers that the NFT owners erroneously thought had been cancelled.
About OpenSea
"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."
"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."
"Fascinated by the [CryptoKitties] movement that was forming, Devin Finzer and Alex Atallah joined early adopter communities in Discord and started talking to users. With the OpenSea beta launch in December 2017, the first open marketplace for any non-fungible token on the Ethereum blockchain was born."
"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain."
The Reality
"There are [some] straightforward security issues [on OpenSea], which have become newly urgent given the huge quantities of money on their platform."
"A [UI] bug in OpenSea has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners — and hundreds of thousands of dollars in profits for the apparent thieves." "An interface bug that had been dormant for months let attackers trade on old contracts, causing hundreds of thousands of dollars in unintended sales."
"The exploit appears to rely on the fact that NFT owners are unaware that old marketplace listings for their NFTs are still active. Those old listings are now being used to purchase NFTs at prices chosen by the seller in the past - which is often well below current market prices."
"The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to “steal” NFTs with a market value of over $1 million."
"According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application."
"OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API."
A bug in the OpenSea NFT marketplace allowed hackers to purchase rare NFTs at significantly lower prices, resulting in substantial losses for the original owners and substantial profits for the attackers. The bug had been present for weeks but gained more attention recently, with at least eight instances of exploitation resulting in the theft of NFTs worth over $1 million. One example involved the purchase of a Bored Ape Yacht Club NFT for 0.77 ETH and its quick resale for 84.2 ETH, generating a profit of over $190,000 for the attacker. The bug was caused by a mismatch between NFT smart contracts and the information displayed by OpenSea's interface, allowing attackers to take advantage of old contracts that still existed on the blockchain. Users had previously used a workaround to re-list NFTs for higher prices by transferring them to another wallet, removing the listing from OpenSea's display but keeping it active on the blockchain. The bug was first discovered in December 2021, and it is unclear how OpenSea is addressing the issue[2].
What Happened
OpenSea orders continued to be available indefinitely, and did not display on the interface. After the price of several NFTs rose significantly, multiple actors took advantage of the old orders to purchase NFTs at really cheap prices.
| Date | Event | Description |
|---|---|---|
| January 12th, 2022 8:01:00 PM MST | GinoTheGhost OpenSea Bug | The Twitter user GinoTheGhost reported an OpenSea bug that allows people to exploit old listings and purchase NFTs unexpectedly[3]. The bug occurs when sellers transfer their NFTs to another wallet to cancel listings, but the listings remain active on platforms like Rarible. As a result, NFTs are being sold below their floor prices, and users are unaware of how it happened. In the FLUF_World community, a valuable female VIP lanyard NFT was sold for a significantly lower price to an exploiter. The situation was resolved when the NFT was relisted and purchased back by the rightful owner. However, even after returning the NFT, it was immediately relisted at a lower price due to an old active listing. To avoid such issues, users are advised to check the "active" and "inactive" tabs on Rarible and revoke permissions for collections they are concerned about on revoke.cash. The incident caused frustration and financial losses for many users, but the FLUF_World community came together to support the affected individual[3]. |
| January 24th, 2022 1:26:00 AM MST | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| January 24th, 2022 10:20:00 AM MST | The Verge Article Published | The Verge reports that a bug in the OpenSea NFT marketplace allowed hackers to purchase rare NFTs at significantly lower prices, resulting in substantial losses for the original owners and substantial profits for the attackers. The bug had been present for weeks but gained more attention recently, with at least eight instances of exploitation resulting in the theft of NFTs worth over $1 million. One example involved the purchase of a Bored Ape Yacht Club NFT for 0.77 ETH and its quick resale for 84.2 ETH, generating a profit of over $190,000 for the attacker. The bug was caused by a mismatch between NFT smart contracts and the information displayed by OpenSea's interface, allowing attackers to take advantage of old contracts that still existed on the blockchain. Users had previously used a workaround to re-list NFTs for higher prices by transferring them to another wallet, removing the listing from OpenSea's display but keeping it active on the blockchain. The bug was first discovered in December 2021, and it is unclear how OpenSea is addressing the issue[2]. |
Technical Details
"According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application."
"OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API."
Twitter Thread By GinoTheGhost
GinoTheGhost provided one of the earliest public warnings of the OpenSea exploit[3].
IMPORTANT THREAD!
please RT to spread the word.
there’s an OpenSea bug (shocking, i know) in their contract that allows people to exploit old listings and buy NFTs right from under you. here’s a story of what happened today & how you can make sure it doesn’t happen to you:
canceling listings can be expensive. it costs gas to cancel EACH listing (every time you lower the price it’s a separate listing). so what many people do is transfer the NFT to another wallet to cancel the listing. this used to work. used to.
suddenly, people have been reporting their NFTs were sold below floor and they don’t even know how. what’s happening is, listings from as long as up to 6 months are still active on @rarible, even OS in some cases, when you transfer them back to your wallet.
today in the @FLUF_World community, a female VIP lanyard (worth at least 10eth) was sold for 2.7eth to someone exploiting the listing. fortunately, when it was re-listed it for 7eth, i sniped it instantly to make sure it could get back into the hands of the rightful owner.
after working out a deal to get the owner their Fluf back, i transferred it back to him. well guess what, IT IMMEDIATELY RE-LISTED FOR 3ETH from an old listing that was still somehow active. fortunately, @maxpoker247 sniped it and saved the day (again). what a [circus].
so what can you do to avoid this happening? step 1: go to https://orders.rarible.com and check the "active" tab. make sure nothing is listed. then check the "Inactive" tab— these are orders which weren’t properly cancelled or executed.
step 2: go to https://revoke.cash and connect your wallet, change the setting from ERC20 to ERC721, and you’ll see all the collections you have granted permissions. simply revoke the permissions for any collection you’re worried about.
today was exhausting. i wasted 6 hours of my life trying to sort this out with the original owner & regain liquidity, only for THE SAME EXPLOIT to almost [mess] the whole thing up anyway. & this result was a DREAM SCENARIO. countless people were [impact]ed by this with no recourse.
big thank you to the @FLUF_World community for stepping up today. so many people donated thousands of dollars to help our friend who [lost funds] by a platform that generates millions of dollars in revenue a day.
Total Amount Lost
The total amount lost has been estimated at $1,100,000 USD.
Immediate Reactions
TBD - Sources may be missing for this text. Find and add those sources.
"** Urgent ** There is an @opensea devastating bug that will keep old listing and allow exploiters to buy the NFT using their API. Immediate action is to move your NFT to a new wallet or wallet without any previous listing. I will add a [case] about it very soon."
"The way OS works, is by having their marketplace conduct off-chain to save gas. When you list an item for sale (or bid) you are signing data that validate that you are willing to sell your NFT at this price." "The signature is saved in @opensea's DB off-chain and when someone wants to buy your NFT, they will send to their smart contract your previously signed data where the signature and sale information (such as expiration & price) are validated on-chain before making the transfer."
"When you cancel a listing, you are require to preform a transaction, why you might ask? the reason is that someone might save your signed listing (which are public or even their API) and use it later, even if the listing got removed from the UI." "So the transaction on-chain will save the fact that you canceled this sale on their smart contract and even if someone will try to use your signed data from before, the on-chain validation will reject the sale."
"So what is this bug and how to avoid it? the bug stems from the fact that previously you could re-list an NFT without canceling it (which you can't now) and all the previous listing are not canceled on-chain, this is why re-listing will NOT work." "Furthermore, transferring a previously listed NFT to back to the wallet that listed it, will not prevent you from this bug. Re-list will not help you too (unless you made sure you cancelled all previous listing)."
"And as we shown before sites save old listing and now exploiters can use this information to perform the sale since @opensea smart contract will believe this sale is valid! (which is kinda is)." "Another big problem that @opensea has, is that they don't have order nonce, so even if you made a listing 6 months ago then made another one 4 months ago & canceled it after 1 day, the first list is still valid and may not be visible on the UI."
"@LooksRareNFT for example, has the ability to cancel all orders using a nonce so even if you somehow forgotten to cancel a listing, this can make sure you are safer." "To sum up, previously, you could have re-list an NFT without canceling the previous list. Sometimes but not always, If you cancel your new listing, the old one will not appear on the UI but is still valid." "The two options are to cancel the listing directly or to send it to another wallet without transferring it back until the original listing expires." "Generally, I'd say simplest is to just cancel."
"NFTs with a market value of $1.1 million have been purchased in this way." "Elliptic has identified at least five attackers who have exploited this loophole to purchase at least twelve NFTs for much less than their market value. These include Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz NFTs."
"For example at around 7am on January 24, a Bored Ape Yacht Club NFT #9991 was purchased for 0.77 ETH ($1,800). This family of NFTs currently sell for at least $198,000. Twenty minutes later the hacker sold the NFT for 84.2 ETH ($196,000) – realizing a profit of $194,000."
Ultimate Outcome
"One attacker, going by the pseudonym "jpegdegenlove" paid a total of $133,000 for seven NFTs – before quickly selling them on for $934,000 in ether. Five hours later this ether was sent through Tornado Cash, a "mixing" service that is used to prevent blockchain tracing of funds."
"Jpegdegenlove also seems to have partially compensated two of their victims - sending 20 ETH ($45,000) to TBALLER and 13 ETH ($30,000) to Vault327."
"Another attacker purchased a single Mutant Ape Yacht Club NFT for $10,600, before selling it on five hours later for $34,800."
Total Amount Recovered
The total amount recovered has been estimated at $75,000 USD.
Ongoing Developments
"It’s unclear whether OpenSea is treating the situation as an open security flaw or a result of user error. The company did not respond to a request for comment by time of publication."
Individual Prevention Policies
Individuals can avoid this risk by understanding the transactions they are making. The risk can be reduced by removing assets from OpenSea whenever not actively listed, and storing most funds offline.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
A third party validation may uncover such issues in the OpenSea platform where valid blockchain listings are not showing up, or identify this possibility that listings may not be cancelled. Having an established industry insurance fund is much more effective than depending on donations from random members of the community.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
A third party validation may uncover such issues in the OpenSea platform where valid blockchain listings are not showing up, or identify this possibility that listings may not be cancelled. Having an established industry insurance fund is much more effective than depending on donations from random members of the community.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ How OpenSea took over the NFT trade - The Verge (Mar 10, 2022)
- ↑ 2.0 2.1 An OpenSea bug let attackers snatch Apes from owners at six-figure discounts - The Verge (Mar 15, 2022)
- ↑ 3.0 3.1 3.2 GinoTheGhost - "there’s an OpenSea bug (shocking, i know) in their contract that allows people to exploit old listings and buy NFTs right from under you. here’s a story of what happened today & how you can make sure it doesn’t happen to you" - Twitter (Mar 21, 2022)