Thanks to a front-end vulnerability on OpenSea, a group of hackers have made away with over $1 million worth of digital collectibles.
According to leading blockchain security firm PeckShield, the malicious actors made approximately 347 ETH from Ethereum’s largest NFT marketplace, OpenSea. The bug allowed the hackers to buy highly-priced NFTs far below their market value. The buyer, who goes by the name "jpegdegenlove," scooped BAYC #8924 for 6.66 ETH (around $14,700). He also bought #8274 for under 23 ETH ($50,800). For some context, the lowest priced BAYC NFT is currently 85 ETH or around $200,000.
The so-called “OpenSea Opportunistic Buyer” also bought two Mutant Apes, a CyberKongz, and a Cool Cats NFT. Although there have been varying reports on how much the attacker made, blockchain analytics firm Elliptic said that at least three attackers were involved in the exploit, and they made over $1 million.
The exploit appears to originate from the ability to re-list an NFT at a new price, without canceling the previous listing. Those previous listings are now being used to purchase NFTs at prices specified at some point in the past — which is often well below current market prices.
Although the suspicious activity happened over the past day, the bug has been present for several weeks and was even flagged on January 1.
In probably a sting of kindness, “jpegdegenlove” later compensated two of the victims. They transferred a total of $75,000 worth of Ether to their victims.
Commenting on the incident, Charles Guillemet, CTO of hardware wallet developer Ledger, said it was unsafe for NFT holders to list their digital collectibles on OpenSea.
It’s very difficult to use this platform securely right now. The only thing we can do is to mitigate the risk.