Buyers used a loophole on the OpenSea platform to purchase the digital assets at hidden, below-market prices.
A standard rule of shopping is that when prices go up, you have to pay the newer, higher rate — not the older, lower one. But what if the older price is still available, and you know where to look?
Savvy opportunists managed to buy more than $1 million in non-fungible tokens (NFTs) from OpenSea, the largest market for such digital assets, at older and significantly lower prices by exploiting a bug in how the platform managed active listings. Attackers exploited users who had transferred their previously listed NFTs to other wallets without having canceled the listings.
Enjoying Bloomberg Wealth?
To read more articles based on your personal financial goals, answer these 3 questions that will tailor your reading experience.
The bug gave its exploiters the ability to buy those NFTs on the cheap, at their earlier listed price, and then sell them at much higher current market rates. And it left the unwitting NFT owners nursing thousands of dollars of losses, according to Elliptic, the blockchain analytics company that identified the anomalous transactions.
“It’s a bit like being on eBay and listing something for sale,” said Tom Robinson, chief scientist and founder of Elliptic. “If you want to increase the price of this, you wouldn’t create a new listing and leave the old one going. You’d replace that listing. The problem here is that people aren’t cancelling the original listing.”
Sellers who want to cancel their listings on NFT platforms have to send messages over the blockchain, and that requires them to pay transaction or “gas” fees, Robinson said.
NFT users tend to have multiple wallets, and so to circumvent the fees, Robinson believes some users may have simply been transferring their NFTs to a different one. But if they transferred those NFTs back into the original wallets, that original listing — and its old sale price — becomes viable and can be used by buyers.
A spokesperson for the platform told Bloomberg the issue arises because “OpenSea cannot cancel listings on behalf of users. Instead, users must cancel their own listings.”
The loophole demonstrates the extent to which the user experience decisions made by the biggest platforms in crypto can lead to expensive mistakes by even their most sophisticated (and wealthy) customers. OpenSea said it was implementing a number of interface changes designed to “make users aware of all their listings” to reduce the likelihood of these hidden sales, with more changes expected.
According to OpenSea data analyzed by Bloomberg News, user jpegdegenlove made at least 340 ETH (about $800,000 at current prices) in just a matter of hours by exploiting the OpenSea bug and selling at least five NFTs, three of which were from the Bored Ape Yacht Club collection. Assets in several collections were affected, including Cool Cats, Mutant Ape Yacht Club and CyberKongz.
The user behind jpegdegenlove bought one Bored Ape Yacht Club NFT for 0.77 ETH and sold it for 84.2 ETH, according to OpenSea data. They also bought a Cool Cat for 3 ETH from a wallet account named “mario” and then sold it for 10.99 ETH, according to data on OpenSea.
The user behind the “mario” wallet told Bloomberg News that he realized his NFT had been unwittingly sold when he woke up to texts from people asking why he had sold his Cool Cat for 3 ETH when the floor price for that collection was about 12 ETH.
The user said he manages several wallets and had transferred the NFT in question back to an old account a few days ago. He insisted that OpenSea still showed the correct market price of the NFT, and suspects that the exploiter must have dug up a six-month-old price of the listing through the NFT’s contract.
Elliptic later found that jpegdegenlove seemed to have partially compensated some of the account’s victims.
“I think a lot of responsibility is being placed on the user to understand how these systems operate,” said Elliptic’s Robinson. “There’s a tension here between whether the responsibility really is on the user or whether some of that responsibility should be on marketplaces such as OpenSea to protect users from these types of exploits.”
Victims of these kinds of exploits have little recourse other than the goodwill of the crypto community. Carson Turner of Atlanta discovered that old listings of two of his NFTs from the Bored Ape Yacht Club and Mutant Ape Yacht Club collections had reappeared online. They were purchased for 87 ETH and 19 ETH, the equivalent of $194,097 and $42,959. That was well below the market price that week of roughly 128 ETH, or $285,696, for the first one and 37 ETH for the second.
The 38-year-old aviation specialist was able to track down the buyers of this old listing and bought back his NFTs for 97 ETH and 19 ETH. He contacted OpenSea and got others on social media to express their outrage at his losses. He eventually got his money reimbursed by the NFT marketplace, losing only about $700 in the process.
“My situation is quite unique in that I got my money back,” Turner said. “That seems to be the exception more than the rule.”
An OpenSea spokesperson told Bloomberg they “have been actively reaching out to and reimbursing affected users.”