OpenSea Forced Sale By Old Listing

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

OpenSea

OpenSea is one of the largest NFT marketplaces online. If an order is placed on the blockchain, it's available for future use unless cancelled or the NFT is no longer in the wallet which the offer applies to. If an NFT is moved from one wallet to another and back again, then OpenSea will fail to display the open order, which can still be executed. On January 12th, a user had two of their previous orders exploited in order to purchase the NFT (worth 10 ETH) for 2.7 ETH and again for 3 ETH. Other users returned the NFT to the rightful owner for the price they paid for it, which was 7 ETH in the first case and 3 ETH in the second case. Therefore, most of the funds were recovered.

OpenSea is one of the largest NFT marketplaces online. If an order is placed on the blockchain, it's available for future use unless cancelled or the NFT is no longer in the wallet which the offer applies to. If an NFT is moved from one wallet to another and back again, then OpenSea will fail to display the open order, which can still be executed. Multiple users exploited up to $1.1m worth of NFTs this way, through offers that the NFT owners erroneously thought had been cancelled.

This is a global/international case not involving a specific country.^[1]

https://web.archive.org/web/*/https://twitter.com/boredapebot/status/1476844150423277599

About OpenSea

^{[2][3][4][5][6][7][8][2]}

"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."

"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."

"Fascinated by the [CryptoKitties] movement that was forming, Devin Finzer and Alex Atallah joined early adopter communities in Discord and started talking to users. With the OpenSea beta launch in December 2017, the first open marketplace for any non-fungible token on the Ethereum blockchain was born."

"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain."

The Reality

"There are [some] straightforward security issues [on OpenSea], which have become newly urgent given the huge quantities of money on their platform."

"A [UI] bug in OpenSea has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners — and hundreds of thousands of dollars in profits for the apparent thieves." "An interface bug that had been dormant for months let attackers trade on old contracts, causing hundreds of thousands of dollars in unintended sales."

"The exploit appears to rely on the fact that NFT owners are unaware that old marketplace listings for their NFTs are still active. Those old listings are now being used to purchase NFTs at prices chosen by the seller in the past - which is often well below current market prices."

"The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to “steal” NFTs with a market value of over $1 million."

"According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application."

"OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API."

"The way OS works, is by having their marketplace conduct off-chain to save gas. When you list an item for sale (or bid) you are signing data that validate that you are willing to sell your NFT at this price." "The signature is saved in @opensea's DB off-chain and when someone wants to buy your NFT, they will send to their smart contract your previously signed data where the signature and sale information (such as expiration & price) are validated on-chain before making the transfer."

"When you cancel a listing, you are require to preform a transaction, why you might ask? the reason is that someone might save your signed listing (which are public or even their API) and use it later, even if the listing got removed from the UI." "So the transaction on-chain will save the fact that you canceled this sale on their smart contract and even if someone will try to use your signed data from before, the on-chain validation will reject the sale."

"So what is this bug and how to avoid it? the bug stems from the fact that previously you could re-list an NFT without canceling it (which you can't now) and all the previous listing are not canceled on-chain, this is why re-listing will NOT work." "Furthermore, transferring a previously listed NFT to back to the wallet that listed it, will not prevent you from this bug. Re-list will not help you too (unless you made sure you cancelled all previous listing)."

"And as we shown before sites save old listing and now exploiters can use this information to perform the sale since @opensea smart contract will believe this sale is valid! (which is kinda is)." "Another big problem that @opensea has, is that they don't have order nonce, so even if you made a listing 6 months ago then made another one 4 months ago & canceled it after 1 day, the first list is still valid and may not be visible on the UI."

"@LooksRareNFT for example, has the ability to cancel all orders using a nonce so even if you somehow forgotten to cancel a listing, this can make sure you are safer." "To sum up, previously, you could have re-list an NFT without canceling the previous list. Sometimes but not always, If you cancel your new listing, the old one will not appear on the UI but is still valid." "The two options are to cancel the listing directly or to send it to another wallet without transferring it back until the original listing expires." "Generally, I'd say simplest is to just cancel."

The Verge reports that a bug in OpenSea, a popular NFT marketplace, allowed hackers to buy rare NFTs at significantly discounted prices, leading to substantial losses for the original owners and significant profits for the attackers. The bug had been present for weeks and was exploited multiple times in a 12-hour period before January 24, 2022, with NFTs worth over $1 million stolen. For instance, one NFT, Bored Ape Yacht Club #9991, was bought for 0.77 ETH ($1,760) and resold for 84.2 ETH ($192,400), earning the attacker over $190,000 in profit. The bug was related to a mismatch between information in NFT smart contracts and OpenSea's user interface, allowing attackers to exploit old contracts that persisted on the blockchain but were not visible in OpenSea's view. By transferring the NFTs to other wallets and back, attackers could hide the listings in OpenSea's front-end display while keeping the original listing active on the blockchain. OpenSea had not responded to requests for comment on whether the issue was a security flaw or a result of user error^[9].

"There are [some] straightforward security issues [on OpenSea], which have become newly urgent given the huge quantities of money on their platform."

"A [UI] bug in OpenSea has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners — and hundreds of thousands of dollars in profits for the apparent thieves." "An interface bug that had been dormant for months let attackers trade on old contracts, causing hundreds of thousands of dollars in unintended sales."

"The exploit appears to rely on the fact that NFT owners are unaware that old marketplace listings for their NFTs are still active. Those old listings are now being used to purchase NFTs at prices chosen by the seller in the past - which is often well below current market prices."

"The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to “steal” NFTs with a market value of over $1 million."

"According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application."

"OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API."

A bug in the OpenSea NFT marketplace allowed hackers to purchase rare NFTs at significantly lower prices, resulting in substantial losses for the original owners and substantial profits for the attackers. The bug had been present for weeks but gained more attention recently, with at least eight instances of exploitation resulting in the theft of NFTs worth over $1 million. One example involved the purchase of a Bored Ape Yacht Club NFT for 0.77 ETH and its quick resale for 84.2 ETH, generating a profit of over $190,000 for the attacker. The bug was caused by a mismatch between NFT smart contracts and the information displayed by OpenSea's interface, allowing attackers to take advantage of old contracts that still existed on the blockchain. Users had previously used a workaround to re-list NFTs for higher prices by transferring them to another wallet, removing the listing from OpenSea's display but keeping it active on the blockchain. The bug was first discovered in December 2021, and it is unclear how OpenSea is addressing the issue^[10].

What Happened

OpenSea orders continued to be available indefinitely, and did not display on the interface. After the price of several NFTs rose significantly, multiple actors took advantage of the old orders to purchase NFTs at really cheap prices.

Technical Details

^[15]

"According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea’s user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application."

"OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them. If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet. While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API."

Twitter Thread By Rotem Yakir

Rotem Yakir shared a technical analysis of the OpenSea exploit^[14][15][16].

"The way OS works, is by having their marketplace conduct off-chain to save gas. When you list an item for sale (or bid) you are signing data that validate that you are willing to sell your NFT at this price." "The signature is saved in @opensea's DB off-chain and when someone wants to buy your NFT, they will send to their smart contract your previously signed data where the signature and sale information (such as expiration & price) are validated on-chain before making the transfer."

"When you cancel a listing, you are require to preform a transaction, why you might ask? the reason is that someone might save your signed listing (which are public or even their API) and use it later, even if the listing got removed from the UI." "So the transaction on-chain will save the fact that you canceled this sale on their smart contract and even if someone will try to use your signed data from before, the on-chain validation will reject the sale."

"So what is this bug and how to avoid it? the bug stems from the fact that previously you could re-list an NFT without canceling it (which you can't now) and all the previous listing are not canceled on-chain, this is why re-listing will NOT work." "Furthermore, transferring a previously listed NFT to back to the wallet that listed it, will not prevent you from this bug. Re-list will not help you too (unless you made sure you cancelled all previous listing)."

"And as we shown before sites save old listing and now exploiters can use this information to perform the sale since @opensea smart contract will believe this sale is valid! (which is kinda is)." "Another big problem that @opensea has, is that they don't have order nonce, so even if you made a listing 6 months ago then made another one 4 months ago & canceled it after 1 day, the first list is still valid and may not be visible on the UI."

"@LooksRareNFT for example, has the ability to cancel all orders using a nonce so even if you somehow forgotten to cancel a listing, this can make sure you are safer." "To sum up, previously, you could have re-list an NFT without canceling the previous list. Sometimes but not always, If you cancel your new listing, the old one will not appear on the UI but is still valid."

"Using services like https://orders.rarible.com or even OS API someone can obtain the old listing and still use it" "To make sure you are safe, you can check on https://orders.rarible.com and see if your previous listing is still there. However, if you want to be 100% safe then just transfer your NFT to a different wallet" "If you see in your NFT history something like this image, then your are exposed to the issue"

"On a personal note, as a DeFi developer with a lot of experience with NFTs, @opensea is an old product. Slow, bad UX, with old smart contracts code which makes you pay much more gas than you should and not beneficial for traders. Furthermore, they have dangerous bugs" "@LooksRareNFT is a new player with bugs too (not financial bugs but still), less features and less listings, however, they have a great potential to make our lives easier and safer. I believe that we as a community need to give them a chance to grow"

"In any case, my opinions are my own and I'm not affiliate with @LooksRare in any way, just calling it as it is. Thanks for reading and please consider following and sharing. Be safe!"

"The two options are to cancel the listing directly or to send it to another wallet without transferring it back until the original listing expires." "Generally, I'd say simplest is to just cancel."

"[S]uddenly, people have been reporting their NFTs were sold below floor and they don’t even know how. [W]hat’s happening is, listings from as long as up to 6 months are still active on @rarible, even OS in some cases, when you transfer them back to your wallet."

"[T]oday in the @FLUF_World community, a female VIP lanyard (worth at least 10eth) was sold for 2.7eth to someone exploiting the listing. [F]ortunately, when it was re-listed it for 7eth, [I] sniped it instantly to make sure it could get back into the hands of the rightful owner."

"[A]fter working out a deal to get the owner their Fluf back, i transferred it back to him. [W]ell guess what, IT IMMEDIATELY RE-LISTED FOR 3ETH from an old listing that was still somehow active. [F]ortunately, @maxpoker247 sniped it and saved the day (again)."

"[T]oday was exhausting. [I] wasted 6 hours of my life trying to sort this out with the original owner & regain liquidity, only for THE SAME EXPLOIT to almost fuck the whole thing up anyway [and] this result was a DREAM SCENARIO."

"[B]ig thank you to the @FLUF_World community for stepping up today. [S]o many people donated thousands of dollars to help our friend who was fucked over by a platform that generates millions of dollars in revenue a day."

Twitter Thread By cap10bad

cap10bad provided the earliest known warning about the exploit^[11].

1/ Recently there's been an @opensea exploit that has allowed for assets to be purchased at greatly discounted prices, including 3 freshdrops passes, a BAYC, multiple MAYCs, and more. I did some research this morning and here's what's happening

2/ If an OS user lists an NFT for sale and later decides they don't want that listing to be active anymore, OS will charge for delisting. This can be costly, especially if the price was lowered multiple times, so users have found a workaround -> transfer to another wallet

3/ This effectively cancels the listing in OS and the user transfers the item back to the original wallet, no damage done right? Wrong.

4/ The item may not show the listing on OS, but it is in fact still active through OS's API. The quickest way to view these old listings is on Rarible, which uses OS's API to display and fulfill OS's listings.

5/ The old, presumed cancelled, listing displays as active on Rarible and are fulfillable. An example of my X-Punk next- I created a listing on OS, transferred to another wallet, and back. No listing is shown on OS. This is how it's expected to work.

6/ However if you view the same asset on Rarible you'll see it's listed for .25, which is what I listed it at on OS before transferring!

7/ OS has been notified about this bug, but nothing has been done about it yet. Please be careful out there and you might want to go check your assets on Rarible before it's too late!

Twitter Thread By GinoTheGhost

GinoTheGhost provided a public warning while the OpenSea exploit was being exploited^[17].

IMPORTANT THREAD!

please RT to spread the word.

there’s an OpenSea bug (shocking, i know) in their contract that allows people to exploit old listings and buy NFTs right from under you. here’s a story of what happened today & how you can make sure it doesn’t happen to you:

[C]anceling listings can be expensive. [I]t costs gas to cancel EACH listing (every time you lower the price it’s a separate listing). [W]hat many people do is transfer the NFT to another wallet to cancel the listing. [T]his used to work.

suddenly, people have been reporting their NFTs were sold below floor and they don’t even know how. what’s happening is, listings from as long as up to 6 months are still active on @rarible, even OS in some cases, when you transfer them back to your wallet.

today in the @FLUF_World community, a female VIP lanyard (worth at least 10eth) was sold for 2.7eth to someone exploiting the listing. fortunately, when it was re-listed it for 7eth, i sniped it instantly to make sure it could get back into the hands of the rightful owner.

after working out a deal to get the owner their Fluf back, i transferred it back to him. well guess what, IT IMMEDIATELY RE-LISTED FOR 3ETH from an old listing that was still somehow active. fortunately, @maxpoker247 sniped it and saved the day (again). what a [circus].

so what can you do to avoid this happening? step 1: go to https://orders.rarible.com and check the "active" tab. make sure nothing is listed. then check the "Inactive" tab— these are orders which weren’t properly cancelled or executed.

step 2: go to https://revoke.cash and connect your wallet, change the setting from ERC20 to ERC721, and you’ll see all the collections you have granted permissions. simply revoke the permissions for any collection you’re worried about.

today was exhausting. i wasted 6 hours of my life trying to sort this out with the original owner & regain liquidity, only for THE SAME EXPLOIT to almost [mess] the whole thing up anyway. & this result was a DREAM SCENARIO. countless people were [impact]ed by this with no recourse.

big thank you to the @FLUF_World community for stepping up today. so many people donated thousands of dollars to help our friend who [lost funds] by a platform that generates millions of dollars in revenue a day.

Total Amount Lost

^[18]

An earlier event on January 12th had losses estimated at $48,000 USD.

The total amount lost has been estimated at $1,100,000 USD.

Immediate Reactions

TBD - Sources may be missing for this text. Find and add those sources.

Rotem Yakir

^[13]

"** Urgent ** There is an @opensea devastating bug that will keep old listing and allow exploiters to buy the NFT using their API. Immediate action is to move your NFT to a new wallet or wallet without any previous listing. I will add a [case] about it very soon."

"The way OS works, is by having their marketplace conduct off-chain to save gas. When you list an item for sale (or bid) you are signing data that validate that you are willing to sell your NFT at this price." "The signature is saved in @opensea's DB off-chain and when someone wants to buy your NFT, they will send to their smart contract your previously signed data where the signature and sale information (such as expiration & price) are validated on-chain before making the transfer."

"When you cancel a listing, you are require to preform a transaction, why you might ask? the reason is that someone might save your signed listing (which are public or even their API) and use it later, even if the listing got removed from the UI." "So the transaction on-chain will save the fact that you canceled this sale on their smart contract and even if someone will try to use your signed data from before, the on-chain validation will reject the sale."

"So what is this bug and how to avoid it? the bug stems from the fact that previously you could re-list an NFT without canceling it (which you can't now) and all the previous listing are not canceled on-chain, this is why re-listing will NOT work." "Furthermore, transferring a previously listed NFT to back to the wallet that listed it, will not prevent you from this bug. Re-list will not help you too (unless you made sure you cancelled all previous listing)."

"And as we shown before sites save old listing and now exploiters can use this information to perform the sale since @opensea smart contract will believe this sale is valid! (which is kinda is)." "Another big problem that @opensea has, is that they don't have order nonce, so even if you made a listing 6 months ago then made another one 4 months ago & canceled it after 1 day, the first list is still valid and may not be visible on the UI."

"@LooksRareNFT for example, has the ability to cancel all orders using a nonce so even if you somehow forgotten to cancel a listing, this can make sure you are safer." "To sum up, previously, you could have re-list an NFT without canceling the previous list. Sometimes but not always, If you cancel your new listing, the old one will not appear on the UI but is still valid." "The two options are to cancel the listing directly or to send it to another wallet without transferring it back until the original listing expires." "Generally, I'd say simplest is to just cancel."

"NFTs with a market value of $1.1 million have been purchased in this way." "Elliptic has identified at least five attackers who have exploited this loophole to purchase at least twelve NFTs for much less than their market value. These include Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz NFTs."

"For example at around 7am on January 24, a Bored Ape Yacht Club NFT #9991 was purchased for 0.77 ETH ($1,800). This family of NFTs currently sell for at least $198,000. Twenty minutes later the hacker sold the NFT for 84.2 ETH ($196,000) – realizing a profit of $194,000."

Reports On Twitter

Including GinoTheGhost^[12].

"[T]here’s an OpenSea bug (shocking, i know) in their contract that allows people to exploit old listings and buy NFTs right from under you. [H]ere’s a story of what happened today & how you can make sure it doesn’t happen to you."

Ultimate Outcome

"One attacker, going by the pseudonym "jpegdegenlove" paid a total of $133,000 for seven NFTs – before quickly selling them on for $934,000 in ether. Five hours later this ether was sent through Tornado Cash, a "mixing" service that is used to prevent blockchain tracing of funds."

"Jpegdegenlove also seems to have partially compensated two of their victims - sending 20 ETH ($45,000) to TBALLER and 13 ETH ($30,000) to Vault327."

"Another attacker purchased a single Mutant Ape Yacht Club NFT for $10,600, before selling it on five hours later for $34,800."

Total Amount Recovered

The total amount recovered has been estimated at $34,000 USD for the January 12th incident.

The total amount recovered has been estimated at $75,000 USD for all other incidents.

Ongoing Developments

"It’s unclear whether OpenSea is treating the situation as an open security flaw or a result of user error. The company did not respond to a request for comment by time of publication."

Individual Prevention Policies

Individuals can avoid the risk of asset transfer by understanding the transactions they are making and periodically reviewing the permissions granted to their wallet. The risk can be reduced or eliminated by properly cancelling the orders on OpenSea, using a new wallet for any new listings, and/or storing purchased NFTs in an offline wallet which is not connected to OpenSea.

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Multiple comprehensive third party validations of the OpenSea platform would increase the likelihood of discovering and mitigating issues. One potential solution in this case may be a system to alert users of listings which have not been properly cancelled. An industry insurance fund may be able to provide relief or assistance to affected users.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Multiple comprehensive third party validations of the OpenSea platform would increase the likelihood of discovering and mitigating issues. One potential solution in this case may be a system to alert users of listings which have not been properly cancelled. An industry insurance fund may be able to provide relief or assistance to affected users.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References