A hacker has managed to exploit a flaw on the OpenSea platform that was already reported more than 3 weeks ago. He was able to buy NFTs at a lower price and make a profit of 750 000 dollars.
A flaw on OpenSea
Several owners have reported seeing their non-fungible tokens (NFTs) from the Bored Ape Yacht Club collection being sold for much less than their real value on the OpenSea platform.
A hacker allegedly managed to exploit a flaw in the frontend of the OpenSea exchange platform, allowing him to buy NFTs for tens of thousands of dollars less than their floor price (minimum exchange price).
Tballer, the person who reported the theft on his Twitter account, saw his BAYC #9991 go for 0.77 ETH, or $1700.
It was resold just an hour later for $185,000. BAYC #8274 and #8924 were also sold for 23 ETH (about $51,000) and 6.66 ETH ($14,700) while the current low price for the Bored Ape Yacht Club collection is $200,000.
The hacker also purchased two Mutant Ape, a secondary collection of the BAYC, as well as an NFT Cool Cats and an NFT CyberKongz. In total, this earned him 332 ETH, or about $733,500.
The mystery buyer goes by the name “jpegdegenlove” and has been renamed “OpenSea Opportunistic Buyer” on Etherscan.
A bug in the platform’s API
When an OpenSea user wants to change the minimum selling price of an NFT, the platform will charge them a modification fee, which can be quite significant if the price has been modified several times.
However, some NFT sellers have managed to get around this problem. They transfer the NFT in question to another wallet and then send it back to the original wallet so that they can change the price without paying more.
But this is where the loophole is created. Effectively, the original sell order is no longer visible on the platform, but remains accessible in the site’s Application Programming Interface (API), allowing a malicious buyer to access the previous “invisible” prices.
In concrete terms, the change is visible on the frontend of the site, but all the history remains accessible in the backend.
Thus, the hacker was able to access previous price listings via the Rarible platform and buy them at a lower price.
The flaw had already been reported via Twitter user @cap10bad on December 31, but the problem still doesn’t seem to have been solved by OpenSea more than three weeks after its discovery.
OpenSea still the market leader in NFTs
NFT exchange platform OpenSea remains the market leader with an ever-growing user base of approximately 457,000 for the beginning of 2022.
It saw its monthly trading volume reach $3.24 billion in December alone, putting it far ahead of its main competitor Rarible, which observed “only” $21 million in trading volume on its platform over the same period.
The Bored Ape Yacht Club collection was not chosen at random during this hack. Indeed, it is the NFTs with the highest floor price of all collections (87.7 ETH currently, or about $185,000).
The market capitalization of BAYC is currently worth 2.37 billion dollars. Many stars have bought BAYC NFTs, such as Stephen Curry, Post Malone, Jimmy Fallon, Snoop Dogg or more recently the rapper Eminem.