A hacker has managed to exploit a flaw in the OpenSea platform that was reported more than 3 weeks ago. He was able to buy NFTs at a lower price and make a profit of $750,000
A flaw in OpenSea
Many owners have reported seeing their non-fungible tokens (NFTs) from the Bored Ape Yacht Club collection sell for far less than their actual value on the OpenSea platform.
I just lost an ape guys…. I’m crying…. How did this just happen
– TBALLER.eth (@T_BALLER6) January 24, 2022
A hacker has allegedly managed to exploit a flaw in the frontend of the OpenSea trading platform, allowing him to buy NFTs for tens of thousands of dollars less than their floor price (minimum trading price).
Tballer, the person who reported the theft on his Twitter account, saw his BAYC 8924 were also sold for 23 ETH (about $51,000) and 6.66 ETH ($14,700), while the current low price for the Bored Ape Yacht Club collection is $200,000.
The hacker also bought two Mutant Ape, a secondary collection of the BAYC, as well as an NFT Cool Cats and an NFT CyberKongz. In total, this earned him 332 ETH, or about $733,500.
Event history for BAYC 9991 (Source: OpenSea)
The mystery buyer is called “jpegdegenlove” and has been renamed “OpenSea Opportunistic Buyer” on Etherscan.
A bug in the platform’s API
When an OpenSea user wants to change the minimum selling price of an NFT, the platform will charge them a change fee, which can be quite large if the price has been changed multiple times.
However, some NFT sellers have managed to get around this problem. They transfer the NFT in question to another wallet and then send it back to the original wallet so that they can change the price without paying more.
But this is where the loophole is created. Effectively, the original sell order is no longer visible on the platform, but remains accessible in the site’s Application Programming Interface (API), allowing a malicious buyer to access the previous “invisible” prices.
In concrete terms, the change is visible on the frontend of the site, but all the history remains accessible on the backend.
Thus, the hacker was able to access previous price listings via the Rarible platform and purchase them at a lower price.
The flaw had already been reported via Twitter user @cap10bad on December 31, but the problem still doesn’t seem to have been solved by OpenSea more than three weeks after its discovery.
OpenSea still the market leader in NFTs
OpenSea’s NFT exchange platform continues to lead the market with an ever-growing number of users of approximately 457,000 for the beginning of 2022.
Monthly active users on OpenSea (Source: Dune Analytics)
It saw its monthly trading volume reach $3.24 billion in December alone, putting it far ahead of its main competitor Rarible, which saw “only” $21 million in trading volume on its platform over the same period.
The Bored Ape Yacht Club collection was not chosen at random during this hack. Indeed, it is the NFTs with the highest floor price of any collection (currently 87.7 ETH, or about $185,000).
The market capitalisation of BAYCs is currently worth 2.37 billion dollars. Many stars have bought BAYC NFTs, such as Stephen Curry, Post Malone, Jimmy Fallon, Snoop Dogg or more recently the rapper Eminem.
