PeckShield investigators have confirmed what some members of the crypto community have already been warning: hackers are exploiting a bug in OpenSea, the world’s largest NFT marketplace.
About 332 ETH (R$ 4.1 million) were stolen from the platform this morning (24) through a breach opened by a “front-end problem”, tweeted PeckShield, without going into more detail.
But apparently the problem is not new. This is a bug that allows attackers to buy NFTs at much lower prices, reported in old listings and that should no longer appear on the platform.
After buying the NFTs at low prices, they resell them at a new price that matches their current valuation, giving the attacker a large profit margin. The problem therefore directly affects platform users who are losing their NFTs.
BAYC #8274, for example, was “bought” this morning for 22.9 ETH and then sold for 130 ETH, giving the attacker a profit of 100 ETH in a few minutes, around BRL 1.2 million at the time. current Ethereum price.
As the analyst showed Tal Be’ery, the original holder listed the token on OpenSea for 22.9 ETH on July 9, 2021, and it was at this price that the attacker was able to take the item.
The person behind the attack is known for jpegdegenlove and in addition to the Bored Ape Yacht Club, he also stole NFTs from other famous collections such as the Mutant Ape Yacht Club and Cool Cats.
The user @ToastVirtual was another victim of the bug and confessed on Twitter his frustration with what happened: “Shit OpenSea. I’m very upset with your damn website now, I just woke up on a Monday morning to find that my monkey Bored Ape just sold for 6.66 ETH overnight due to an old listing price.”
How the bug is being exploited
the developer Rotem Yakir explained that to unravel the loophole, it is necessary to understand that part of the trading on OpenSea takes place off-chain (off-chain) to save fees from the Ethereum network.
“When you list an item for sale (or bid), you are signing data that validates that you are willing to sell your NFT at that price. The signature is saved in the Open Sea off-chain database and when someone wants to buy your NFT, they will send their previously signed data to the smart contract, where the signature and sale information (such as expiration and price) is validated in the chain. before making the transfer”, he explains.
The problem is that this way, the old listings are still saved in the database, even if the user creates a new listing for the same NFT. To avoid this problem, the holder who gives up on selling an item is now obliged to carry out a transaction to save his decision on the blockchain.
As seen this morning, an attacker can save the signed listing — which is public on https://orders.rarible.com or the OpenSea API — and exploit it later, even if the listing has been removed from the UI. .
“The on-chain transaction will save the fact that you canceled that sale in your smart contract, and even if someone tries to use your previously signed data, the on-chain validation will reject the sale,” says Yakir.
While it is now mandatory to transact to unlist on OpenSea, this was not always the case, and it is precisely the NFTs listed before the change that are being explored at this time.
In the past, users could sell an NFT at a new price, without having to cancel the previous listing. To solve this problem, users themselves must act, as the developer advised: “If you want to be 100% safe, just transfer your NFT to a different wallet”.
So far, the OpenSea team has not commented on this morning’s exploit.