Marketplace bug sees at least $1 million of NFTs sold below market price


FILE PHOTO: A projection of cyber code on a hooded man is pictured in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

LONDON (Reuters) - A bug in the largest NFT marketplace, OpenSea, allowed attackers to purchase at least $1 million worth of NFTs across multiple different wallets for significantly below market price, blockchain analytics firm Elliptic said on Monday.

A non-fungible token (NFT) is a form of crypto asset, which records the ownership status of digital files on blockchain. OpenSea is the largest marketplace for speculators and enthusiasts to trade their NFTs, with $4.8 billion worth of sales volume so far in January.

But a flaw in the marketplace allowed users to buy certain NFTs at prices which they had been listed for in the past, without the owner realising that they were still on sale.

OpenSea did not immediately respond to a request for comment.

"The exploit appears to come from the fact that it was previously possible to re-list an NFT at a new price, without cancelling the previous listing," said Tom Robinson, chief scientist and co-founder at Elliptic.

"Those old listings are now being used to buy NFTs at prices specified in the past - often well below current market prices."

For example, an NFT of a cartoon ape from the Bored Ape Yacht Club collection, Bored Ape #9991, was bought for 0.77 of the cryptocurrency ether (around $1,747) on Monday, despite the fact that such NFTs usually fetch hundreds of thousands of dollars.

Bored Ape Yacht Club is a set of 10,000 algorithmically generated cartoon ape NFTs made by the U.S.-based company Yuga Labs.

Around 20 minutes after Bored Ape #9991 was bought for 0.77 ether, it was sold on for 84.2 ether (around $189,040), according to blockchain records seen on OpenSea, giving the buyer a profit of more than $187,000.

The NFT's original owner, who identified themselves on Twitter as "TBALLER.eth" (@T_BALLER6), tweeted their shock at the transaction, which they said they did not authorise:

"Yooo guys! Idk what just happened by why did my ape just sell for .77?????"

"I didn’t list me ape at all.... Now I’m seeing DMs it sold for .77?????? Wtf??????"

Elliptic's Robinson said that he had identified eight NFTs stolen in this way so far, from eight different wallets, by three attacker wallets.

One person paid a total of $133,000 for seven NFTs by exploiting the bug, before then quickly selling them on for $934,000, Robinson said.

He noted that while crypto wallets are usually anonymous, it may be possible for the attackers to be identified if they use an exchange to cash out into fiat currency.

As celebrities, investors, and top brands flock to the NFT market -- where sales volumes and prices of some sought-after NFTs have seen eye-watering growth -- the OpenSea bug may give some buyers reason to pause.

OpenSea was founded in 2017 and was recently valued at $13.3 billion in its latest round of venture funding.

Elliptic data shows that since 2020, $2 billion has been stolen from users of decentralised finance (DeFi) through hacks.

"It's not common to see marketplace-wide exploits. We do see individual users being hacked and having their NFTs stolen, for example through phishing attacks, but it's not common to see something that affects potentially the entire marketplace," Robinson added.

(Reporting by Elizabeth Howcroft; Editing by Andrea Ricci)

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 3
Join our Telegram channel to get our Evening Alerts and breaking news highlights

   

Next In Tech News

In a faceoff with Elon Musk, the SEC blinked
App to help blind people navigate public transit to debut in Washington
Exclusive-Neumann-backed climate tech venture Flowcarbon raises $70 million
Central African Republic to launch bitcoin investment platform
Billionaire Styers backs climate tech firm Regrow Ag
Rapid grocery apps take it slowly after Dutch cities push back
Activision union gets legal recognition in gaming first
'Looty' project launches digital art heists to reclaim African artifacts
Russia's no. 1 mobile operator MTS starts selling used and discounted smartphones
German grocery app Gorillas to cut staff in search of profit

Others Also Read