In light of growing criticism and complaints from the crypto community, one of the largest NFT marketplaces, OpenSea, has refunded approximately $1.8 million to users who were affected by the recent hack on its platform.
On January 24, 2022, some OpenSea users saw their valuable NFTs sold at rock-bottom prices by hackers who leveraged a flaw on the OpenSea listing process to purchase those NFTs at almost 98% discounts and subsequently resell them for much higher.
The OpenSea bug
According to a report by blockchain analytics firm Elliptic, the OpenSea exploit was the result of a flaw in the way the platform handles asset listings on its platform.
OpenSea is built on the Ethereum blockchain, which is notorious for its outrageous gas fees. Therefore, to cut down on the amount spent on transactions, the NFT marketplace handles most of its functions off-chain until those transactions need to be sent to the blockchain for settlement.
To list an asset, NFT sellers on the platform will need to sign off-chain data confirming the amount they wish to sell their NFTs. However, the problem arises when providers decide to send a message to the blockchain to cancel the initial listing.
To avoid paying gas fees, the vendors simply transfer the NFT to another wallet, which makes the initial offer invalid as the NFT is no longer on OpenSea.
Things get complicated when sellers transfer the assets to their OpenSea wallets, perhaps when the value of the NFT has increased significantly over time. Indeed, the original list was not erased from the blockchain and anyone could buy the NFT at the original price, which was exactly what the authors did.
They allegedly discovered this design flaw in the OpenSea system and executed their attack using a bot to scan the network for NFTs with low floor pending orders and purchased them.
Elliptic revealed that it identified at least five attackers involved in the exploit, including user jpegdegenlove who earned at least 340 Ether worth over $800,000 at current prices from the exploit.
OpenSea Makes Amends
Following the exploit, OpenSea launched a new listing manager on the platform, which allows users to effectively review both active and inactive listings and a one-click option to cancel inactive ones.
The NFT market has also contacted affected users and refunded them. Speaking to Bloomberg, attack victim Robert Garcia said his Mutant Ape NFT was sold for 4.7 Ether (about $11,300) on Sunday.
Garcia noted that he immediately emailed OpenSea after the unintentional sale, and received a response from them on Thursday that offered him a refund of 13.8 Ether worth over $35,000 at current prices.
