OpenSea exploit allowed hacker to buy NFTs for cheap
Myriad NFTs are currently being bought on OpenSea website for very cheap, way below the floor price. The account that is doing this goes by the name OpenSee will refund ask them. The hacker is clearly taking a jab at the OpenSea’s website security by asking NFT artists to ask them for refund.
Here is a screenshot of Cool Cat NFTs being sold for well below their floor price. For example, Cool Cat #7218 was acquired by hacker for mere 3-ethereum.
NFTs artists are suggested not to cancel their OpenSea listings. This has been said in the email sent by OpeaSea which suggests transferring their NFT to a different address and then cancel the listing on original address before sending it back to original Ethereum address.
This is important for users who still had “inactive listings” on their accounts. Basically they are asking you to cancel old listings that you have on your NFTs that are still fulfill-able, because they are unable to cancel them for you.
We at cryptocoindaddy feel that this is incredibly irresponsible on their part and makes things 100x worse. This actually makes the exploit much easier to execute. One user, Swolfchan, has lost whopping 15-ethereum when his Mutated Bored Ape NFT was sold for mere 6 ether.
So i got two emails today from @opensea about listings, and lost 15 ETH+ from exactly what their trying to prevent…
I was told to please act urgently to cancel any inactive listings… cancelled a 15 ETH MAYC @BoredApeYC and it triggered a 6 ETH listing… and sold?? pic.twitter.com/1wt21mt9mz
— swolfchan.eth (@swolfchan) January 27, 2022
After receiving the above email from Opensea, Swolfchan went to cancel his “inactive listings”. He started with cancelling the 15E listing, which was successful and confirmed in block 14086214. When cancelling the 6E listing, an “exploiter” saw the cancellation transaction waiting in the ETH mempool and executed a sale of the NFT for 6E IN THE SAME BLOCK by front-running the cancellation using flashbots rpc. Both txs were in block 14086215.