The media reported that an unknown attacker took advantage of a bug in the backend of the largest NFT marketplace, OpenSea, to buy products at the old, lower prices and then resell them at a higher price.
According to blockchain analysts from PeckShield, the hacker has now “earned” at least 332 Ethereum (about $745,000) in this way.At the same time, according to analysts from Elliptic, the attacker has already resold seven NFTs in this way, and they brought him about $934,000 in profit.
The NFT pricing issue was originally spotted by DeFi Orbs developer Rotem Yakir. He found that users could list NFTs for sale on OpenSea and then cancel the listing, update it, and list the lot at the new price. The problem is that the old listing with the original price could still be accessed through the OpenSea API, even if it was removed from the portal itself.
On Twitter, Yakir blamed the OpenSea developers for the bug, which allowed some ads to be managed using on-chain and off-chain settings, which caused some lots to be processed incorrectly.
Yakir’s findings were soon confirmed by the CTO of the ZenGo cryptocurrency wallet, Tal Be’ery. According to Beeri, an unknown attacker managed to “earn” 100 Ethereum (approximately $225,000) at once on just one NFT.
Let me remind you that we also wrote that Critical bugs on the OpenSea NFT marketplace allowed to steal user funds.
One of the victims of this attack is an NFT collector known by the nickname TBALLER. He writes on Twitter that his NFT Bored Ape #9991 was sold at a discounted price of 0.77 ETH (around $1,775). Almost immediately, a buyer named jpegdegenlove resold the NFT for 84.2 ETH, or almost $200,000.
Representatives of OpenSea have not yet commented on the situation, and it is not clear whether the discovered problem has been resolved.
For now, Yakir recommends that all OpenSea users who have updated prices in their listings move the NFT to the new wallet, which will prevent the item from being sold to a hacker at a lower price.
Let me also remind you that we reported that Fake OpenSea support steals NFTs and funds from cryptocurrency wallets.