OpenSea has compensated customers who unintentionally traded their NFTs at outdated pricing with 750 ETH which is about $1.8 million in fiat currency.
OpenSea has now refunded consumers who sold valuable NFTs at substantially below their going market rate due to an exploit involving “inactive listings” for 750 Ethereum ($1.8 million).
About the exploit
Several users of the largest NFT marketplace recently reported that their high-end NFTs, such as those from the Bored Ape Yacht Club (BAYC) collection, were bought at previous, low listing prices. Despite the fact that the user interface on OpenSea suggested otherwise, these listings were never cancelled on the blockchain.
What caused this to happen? Tech-savvy customers have been funnelling money into crypto wallet addresses without disclosing the source, then using those monies to acquire NFTs at previous listing prices via services like Tornado Cash.
This isn’t a brand-new exploit. Users must pay a gas price to complete transactions on the Ethereum blockchain, which includes cancelling a listing on OpenSea that has not yet expired.
Many NFT holders had inactive listings that had no expiration date and hence required manual cancellation via a paid gas price before OpenSea provided configurable expiration periods on ads. Expired listings are acceptable, but inactive listings are dangerous.
Some NFT owners discovered a loophole in order to avoid paying Ethereum gas fees, which may easily run into the hundreds of dollars for a single transaction. The listing on the OpenSea UI vanished if they transferred the NFT to a secondary wallet and then returned it to the initial wallet.
The “inactive listings” problem
The listing, however, had simply changed from “active” to “inactive.” Inactive listings can still be bought by blockchain professionals who deal directly with the smart contracts themselves, rather than through OpenSea’s interface.
OpenSea informed some BAYC holders earlier this week that they would be reimbursed some Ethereum for their losses. Tballer, who lost Ape #9991 for 0.77 ETH (about $1,700), told Decrypt on January 25 that he received a “delayed response” from OpenSea but was “pleased they came back to me.”
On January 26, OpenSea sent an email to NFT owners with idle listings, requesting that they “act promptly to terminate any inactive listings.”
The email was “extremely irresponsible on their part and makes things 100x worse,” according to NFT collector Dingaling, who claimed in a lengthy Twitter thread that the this makes the exploit considerably easy to carry out.”
By simply instructing customers on the OpenSea website to delete dormant listings one by one, exploiters were able to make purchases on additional inactive listings. Swolfchan, for example, maintained his Mutant Ape Yacht Club Ape in his main wallet and cancelled a 15 ETH inactive listing. They planned to cancel a 6 ETH listing after that.
However, an exploiter purchased their Ape for the 6 ETH price in the time it took Swolfchan to cancel the first inactive listing and go on to the second.
They would have been safe if Swolfchan had transferred the Ape to another wallet, cancelled all the postings, and then moved the Ape back to the primary wallet, according to Dingaling. However, these instructions did not appear to be included in OpenSea’s initial email.
“Fixing this issue is our #1 company priority,” OpenSea co-founder Alex Atallah told Dingaling on January 27. We have a team working on it right now, and we’re putting a countermeasure in place.”
Ledger CTO Charles Guillemet provides a few suggestions for those solutions: “It could have been avoided with an alternative design,” he told Decrypt. The UI on OpenSea, according to Guillemet, should have been more user-friendly. He stated, “Transferring the NFT should not remove the sell order from the UI.”
