Someone has reportedly found a way to exploit the front-end of the most popular non-fungible token (NFT) marketplace – OpenSea. The perpetrator is supposedly going after members of the Bored Ape Yacht Club and their valuable apes.
The OpenSea Exploit
PekShieldAlert – the real-time alerts bot of the popular security firm PeckShield, alarmed of a front-end issue of OpenSea earlier today, revealing that the exploited had already gained 332 ETH worth roughly around $750K at the time of this writing.
— PeckShieldAlert (@PeckShieldAlert) January 24, 2022
Bored Apes Sniped for Less Than 25 ETH
Apparently, there’s been an earlier exploit with similar characteristics where the bug allowed for assets to be bought at severely discounted prices.
1/ Recently there’s been an @opensea exploit that has allowed for assets to be purchased at greatly discounted prices, including 3 freshdrops passes, a BAYC https://t.co/8pEgeXkOBo, multiple MAYCs, and more. I did some research this morning and here’s what’s happening -> a
— cap10bad.ΞTH | freshdrops.io (@cap10bad) December 31, 2021
The user explains that if someone using OpenSea listed an NFT for sale and later decided they didn’t want that listing to be active, the platform would charge for its delisting. This, however, can be costly, so users found a workaround where they would transfer the NFT to another wallet which effectively cancels the listing.
This is where things got messy.
The item may not show the listing on OS, but it is, in fact, still active through OS’s API. The quickest way to view these old listings is on Rarible, which uses OS’s API to display and fulfill OS listings.