LONDON, Jan 25 — A flaw in the largest marketplace for non-fungible tokens (NFTs), OpenSea, allowed buyers to purchase at least US$1.1 million (RM4.6 million) worth of NFTs for significantly below market price, blockchain analytics firm Elliptic said yesterday.
An NFT is a form of crypto asset which records the ownership status of digital files on blockchain. OpenSea is the largest marketplace for speculators and enthusiasts to trade NFTs, with US$4.8 billion worth of sales so far in January.
But a flaw in the process allowed users to buy certain NFTs at old listing prices, without the owner realising they were still on sale.
“This is not an exploit or a bug — it’s an issue that arises because of the nature of the blockchain,” an OpenSea spokesperson said in emailed comments.
“OpenSea cannot cancel listings on behalf of users. Instead, users must cancel their own listings.”
OpenSea said it was working on “a number of products” to address this, including a dashboard that would allow users to see and cancel their listings. It said it had reimbursed affected users.
“The exploit appeared to come from the fact that it was previously possible to re-list an NFT at a new price, without cancelling the previous listing,” said Tom Robinson, chief scientist and co-founder at Elliptic.
“Those old listings are now being used to buy NFTs at prices specified in the past — often well below current market prices.”
For example, an NFT of a cartoon ape from the Bored Ape Yacht Club collection, Bored Ape #9991, was bought for 0.77 of the cryptocurrency ether (around US$1,747) yesterday. Usually, such NFTs fetch hundreds of thousands of dollars.
Bored Ape Yacht Club is a set of 10,000 algorithmically generated NFTs made by the US-based company Yuga Labs.
Around 20 minutes after Bored Ape #9991 was bought for 0.77 ether, it was sold on for 84.2 ether (around US$189,040), according to blockchain records seen on OpenSea. The buyer netted a profit of more than US$187,000.
The NFT’s original owner, who identified themselves on Twitter as “TBALLER.eth” (@T_BALLER6), tweeted their shock at the transaction, which they said they did not authorise:
“Yooo guys! Idk (I don’t know) what just happened by why did my ape just sell for .77?????”
“I didn’t list me ape at all…. Now I’m seeing DMs (direct messages) it sold for .77??????”
Elliptic’s Robinson said he had identified five accounts which purchased at least 12 NFTs in this way, with a total value of US$1.1 million.
One person paid a total of US$133,000 for seven NFTs by exploiting the bug, before then quickly selling them on for US$934,000, Robinson said.
As celebrities and top brands flock to the NFT market — where sales volumes and prices of sought-after tokens have seen eye-watering growth — the OpenSea issue may give some buyers reason to pause.
NFTs and so-called decentralised finance (“DeFi”) represent a new Wild West in markets, with large sums of money bypassing traditional gatekeepers of finance such as banks.
Fraud and theft at DeFi platforms totalled at least US$10.5 billion in 2021. DeFi could undermine financial stability if it gains traction, the Bank for International Settlements has warned.
OpenSea was founded in 2017 and was valued at US$13.3 billion in its latest round of venture funding.
Robinson said that while hacks and NFT theft were commonplace for individual users, “it’s not common to see something that affects potentially the entire marketplace”. — Reuters
