OpenSea Old Contracts Exploited: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Another 30 minutes complete. Prevention added and much more research.)
(This is essentially the same incident. It's best to merge into one article.)
 
Line 1: Line 1:
{{Case Study Under Construction}}[[File:Opensea.jpg|thumb|OpenSea]]OpenSea is one of the largest NFT marketplaces online. If an order is placed on the blockchain, it's available for future use unless cancelled or the NFT is no longer in the wallet which the offer applies to. If an NFT is moved from one wallet to another and back again, then OpenSea will fail to display the open order, which can still be executed. Multiple users exploited up to $1.1m worth of NFTs this way, through offers that the NFT owners erroneously thought had been cancelled.
#redirect [[OpenSea Forced Sale By Old Listing]]
 
== About OpenSea ==
<ref name="theverge2-6997" />
 
"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."
 
"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."
 
"Fascinated by the [CryptoKitties] movement that was forming, Devin Finzer and Alex Atallah joined early adopter communities in Discord and started talking to users. With the OpenSea beta launch in December 2017, the first open marketplace for any non-fungible token on the Ethereum blockchain was born."
 
"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain."
 
== The Reality ==
"There are [some] straightforward security issues [on OpenSea], which have become newly urgent given the huge quantities of money on their platform."
 
"A [UI] bug in OpenSea has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners — and hundreds of thousands of dollars in profits for the apparent thieves." "An interface bug that had been dormant for months let attackers trade on old contracts, causing hundreds of thousands of dollars in unintended sales."
 
"The exploit appears to rely on the fact that NFT owners are unaware that old marketplace listings for their NFTs are still active. Those old listings are now being used to purchase NFTs at prices chosen by the seller in the past - which is often well below current market prices."
 
"The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to “steal” NFTs with a market value of over $1 million."
 
"According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application."
 
"OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API."
 
 
A bug in the OpenSea NFT marketplace allowed hackers to purchase rare NFTs at significantly lower prices, resulting in substantial losses for the original owners and substantial profits for the attackers. The bug had been present for weeks but gained more attention recently, with at least eight instances of exploitation resulting in the theft of NFTs worth over $1 million. One example involved the purchase of a Bored Ape Yacht Club NFT for 0.77 ETH and its quick resale for 84.2 ETH, generating a profit of over $190,000 for the attacker. The bug was caused by a mismatch between NFT smart contracts and the information displayed by OpenSea's interface, allowing attackers to take advantage of old contracts that still existed on the blockchain. Users had previously used a workaround to re-list NFTs for higher prices by transferring them to another wallet, removing the listing from OpenSea's display but keeping it active on the blockchain. The bug was first discovered in December 2021, and it is unclear how OpenSea is addressing the issue<ref name="theverge-7214" />.
 
== What Happened ==
OpenSea orders continued to be available indefinitely, and did not display on the interface. After the price of several NFTs rose significantly, multiple actors took advantage of the old orders to purchase NFTs at really cheap prices.
{| class="wikitable"
|+Key Event Timeline - OpenSea Old Contracts Exploited
!Date
!Event
!Description
|-
|January 12th, 2022 8:01:00 PM MST
|GinoTheGhost OpenSea Bug
|The Twitter user GinoTheGhost reported an OpenSea bug that allows people to exploit old listings and purchase NFTs unexpectedly<ref name="ginotheghosttwitter-7386" />. The bug occurs when sellers transfer their NFTs to another wallet to cancel listings, but the listings remain active on platforms like Rarible. As a result, NFTs are being sold below their floor prices, and users are unaware of how it happened. In the FLUF_World community, a valuable female VIP lanyard NFT was sold for a significantly lower price to an exploiter. The situation was resolved when the NFT was relisted and purchased back by the rightful owner. However, even after returning the NFT, it was immediately relisted at a lower price due to an old active listing. To avoid such issues, users are advised to check the "active" and "inactive" tabs on Rarible and revoke permissions for collections they are concerned about on revoke.cash. The incident caused frustration and financial losses for many users, but the FLUF_World community came together to support the affected individual<ref name="ginotheghosttwitter-7386" />.
|-
|January 24th, 2022 1:26:00 AM MST
|Main Event
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
|-
|January 24th, 2022 10:20:00 AM MST
|The Verge Article Published
|The Verge reports that a bug in the OpenSea NFT marketplace allowed hackers to purchase rare NFTs at significantly lower prices, resulting in substantial losses for the original owners and substantial profits for the attackers. The bug had been present for weeks but gained more attention recently, with at least eight instances of exploitation resulting in the theft of NFTs worth over $1 million. One example involved the purchase of a Bored Ape Yacht Club NFT for 0.77 ETH and its quick resale for 84.2 ETH, generating a profit of over $190,000 for the attacker. The bug was caused by a mismatch between NFT smart contracts and the information displayed by OpenSea's interface, allowing attackers to take advantage of old contracts that still existed on the blockchain. Users had previously used a workaround to re-list NFTs for higher prices by transferring them to another wallet, removing the listing from OpenSea's display but keeping it active on the blockchain. The bug was first discovered in December 2021, and it is unclear how OpenSea is addressing the issue<ref name="theverge-7214" />.
|}
 
== Technical Details ==
"According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application."
 
"OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API."
 
=== Twitter Thread By GinoTheGhost ===
GinoTheGhost provided one of the earliest public warnings of the OpenSea exploit<ref name="ginotheghosttwitter-7386" />.<blockquote>IMPORTANT THREAD!
 
please RT to spread the word.
 
there’s an OpenSea bug (shocking, i know) in their contract that allows people to exploit old listings and buy NFTs right from under you. here’s a story of what happened today & how you can make sure it doesn’t happen to you:
 
canceling listings can be expensive. it costs gas to cancel EACH listing (every time you lower the price it’s a separate listing). so what many people do is transfer the NFT to another wallet to cancel the listing. this used to work. used to.
 
suddenly, people have been reporting their NFTs were sold below floor and they don’t even know how. what’s happening is, listings from as long as up to 6 months are still active on @rarible, even OS in some cases, when you transfer them back to your wallet.
 
today in the @FLUF_World community, a female VIP lanyard (worth at least 10eth) was sold for 2.7eth to someone exploiting the listing. fortunately, when it was re-listed it for 7eth, i sniped it instantly to make sure it could get back into the hands of the rightful owner.
 
after working out a deal to get the owner their Fluf back, i transferred it back to him. well guess what, IT IMMEDIATELY RE-LISTED FOR 3ETH from an old listing that was still somehow active. fortunately, @maxpoker247 sniped it and saved the day (again). what a [circus].
 
so what can you do to avoid this happening? step 1: go to <nowiki>https://orders.rarible.com</nowiki> and check the "active" tab. make sure nothing is listed. then check the "Inactive" tab— these are orders which weren’t properly cancelled or executed.
 
step 2: go to <nowiki>https://revoke.cash</nowiki> and connect your wallet, change the setting from ERC20 to ERC721, and you’ll see all the collections you have granted permissions. simply revoke the permissions for any collection you’re worried about.
 
today was exhausting. i wasted 6 hours of my life trying to sort this out with the original owner & regain liquidity, only for THE SAME EXPLOIT to almost [mess] the whole thing up anyway. & this result was a DREAM SCENARIO. countless people were [impact]ed by this with no recourse.
 
big thank you to the @FLUF_World community for stepping up today. so many people donated thousands of dollars to help our friend who [lost funds] by a platform that generates millions of dollars in revenue a day.</blockquote>
 
== Total Amount Lost ==
The total amount lost has been estimated at $1,100,000 USD.
 
== Immediate Reactions ==
TBD - Sources may be missing for this text. Find and add those sources.
 
"** Urgent ** There is an @opensea devastating bug that will keep old listing and allow exploiters to buy the NFT using their API. Immediate action is to move your NFT to a new wallet or wallet without any previous listing. I will add a [case] about it very soon."
 
"The way OS works, is by having their marketplace conduct off-chain to save gas. When you list an item for sale (or bid) you are signing data that validate that you are willing to sell your NFT at this price." "The signature is saved in @opensea's DB off-chain and when someone wants to buy your NFT, they will send to their smart contract your previously signed data where the signature and sale information (such as expiration & price) are validated on-chain before making the transfer."
 
"When you cancel a listing, you are require to preform a transaction, why you might ask? the reason is that someone might save your signed listing (which are public or even their API) and use it later, even if the listing got removed from the UI." "So the transaction on-chain will save the fact that you canceled this sale on their smart contract and even if someone will try to use your signed data from before, the on-chain validation will reject the sale."
 
"So what is this bug and how to avoid it? the bug stems from the fact that previously you could re-list an NFT without canceling it (which you can't now) and all the previous listing are not canceled on-chain, this is why re-listing will NOT work." "Furthermore, transferring a previously listed NFT to back to the wallet that listed it, will not prevent you from this bug. Re-list will not help you too (unless you made sure you cancelled all previous listing)."
 
"And as we shown before sites save old listing and now exploiters can use this information to perform the sale since @opensea smart contract will believe this sale is valid! (which is kinda is)." "Another big problem that @opensea has, is that they don't have order nonce, so even if you made a listing 6 months ago then made another one 4 months ago & canceled it after 1 day, the first list is still valid and may not be visible on the UI."
 
"@LooksRareNFT for example, has the ability to cancel all orders using a nonce so even if you somehow forgotten to cancel a listing, this can make sure you are safer." "To sum up, previously, you could have re-list an NFT without canceling the previous list. Sometimes but not always, If you cancel your new listing, the old one will not appear on the UI but is still valid." "The two options are to cancel the listing directly or to send it to another wallet without transferring it back until the original listing expires." "Generally, I'd say simplest is to just cancel."
 
"NFTs with a market value of $1.1 million have been purchased in this way." "Elliptic has identified at least five attackers who have exploited this loophole to purchase at least twelve NFTs for much less than their market value. These include Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz NFTs."
 
"For example at around 7am on January 24, a Bored Ape Yacht Club NFT #9991 was purchased for 0.77 ETH ($1,800). This family of NFTs currently sell for at least $198,000. Twenty minutes later the hacker sold the NFT for 84.2 ETH ($196,000) – realizing a profit of $194,000."
 
== Ultimate Outcome ==
 
 
"One attacker, going by the pseudonym "jpegdegenlove" paid a total of $133,000 for seven NFTs – before quickly selling them on for $934,000 in ether. Five hours later this ether was sent through Tornado Cash, a "mixing" service that is used to prevent blockchain tracing of funds."
 
"Jpegdegenlove also seems to have partially compensated two of their victims - sending 20 ETH ($45,000) to TBALLER and 13 ETH ($30,000) to Vault327."
 
"Another attacker purchased a single Mutant Ape Yacht Club NFT for $10,600, before selling it on five hours later for $34,800."
 
== Total Amount Recovered ==
The total amount recovered has been estimated at $75,000 USD.
 
== Ongoing Developments ==
"It’s unclear whether OpenSea is treating the situation as an open security flaw or a result of user error. The company did not respond to a request for comment by time of publication."
== Individual Prevention Policies ==
Individuals can avoid this risk by understanding the transactions they are making. The risk can be reduced by removing assets from OpenSea whenever not actively listed, and storing most funds offline.
 
{{Prevention:Individuals:Double Check Transactions}}
 
{{Prevention:Individuals:Safe Smart Contract Usage}}
 
{{Prevention:Individuals:Store Funds Offline}}
 
{{Prevention:Individuals:End}}
 
== Platform Prevention Policies ==
A third party validation may uncover such issues in the OpenSea platform where valid blockchain listings are not showing up, or identify this possibility that listings may not be cancelled. Having an established industry insurance fund is much more effective than depending on donations from random members of the community.
 
{{Prevention:Platforms:Regular Audit Procedures}}
 
{{Prevention:Platforms:Establish Industry Insurance Fund}}
 
{{Prevention:Platforms:End}}
 
== Regulatory Prevention Policies ==
A third party validation may uncover such issues in the OpenSea platform where valid blockchain listings are not showing up, or identify this possibility that listings may not be cancelled. Having an established industry insurance fund is much more effective than depending on donations from random members of the community.
 
{{Prevention:Regulators:Platform Security Assessments}}
 
{{Prevention:Regulators:Establish Industry Insurance Fund}}
 
{{Prevention:Regulators:End}}
 
== References ==
<references>
<ref name="theverge2-6997">[https://www.theverge.com/2022/2/2/22914081/open-sea-nft-marketplace-web3-fundraising-finzer-a16z How OpenSea took over the NFT trade - The Verge] (Mar 10, 2022)</ref>
<ref name="theverge-7214">[https://www.theverge.com/2022/1/24/22899125/opensea-bug-bored-ape-nfts-smart-contract-listings-cancellation An OpenSea bug let attackers snatch Apes from owners at six-figure discounts - The Verge] (Mar 15, 2022)</ref>
<ref name="ginotheghosttwitter-7386">[https://twitter.com/GinoTheGhost/status/1481461462350532609 GinoTheGhost - "there’s an OpenSea bug (shocking, i know) in their contract that allows people to exploit old listings and buy NFTs right from under you. here’s a story of what happened today & how you can make sure it doesn’t happen to you" - Twitter] (Mar 21, 2022)</ref>
</references>

Latest revision as of 11:26, 23 July 2023

Redirect to:

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=OpenSea_Old_Contracts_Exploited&oldid=4839"