Attackers take advantage of an OpenSea loophole to steal and resell Rare NFTs

One attacker paid approximately $133,000 for seven NFTs before quickly selling them for $934,000 in ether.

One attacker paid roughly $133,000 for seven NFTs before quickly flipping them for $934,000 worth of ether
OpenSea | Image: OpenSea medium

Due to a bug in the OpenSea NFT marketplace, hackers have been able to steal rare NFTs from owners for far below market value and resell them for large profits.

According to blockchain analytics firm Elliptic, at least 3 attackers exploited a bug on the marketplace, stealing more than $1 million as of Monday.

One of the alleged opportunists purchased a Mutant Ape Yacht Club NFT for $10,600 in ether before selling it for $34,800 in ether hours later.

"The exploit appears to stem from the ability to re-list an NFT at a new price without canceling the previous listing," Elliptic reported.

"Those previous listings are now being used to purchase NFTs at prices specified at some point in the past — which are frequently significantly lower than current market prices."

One attacker, known online as "jpegdegenlove," paid roughly $133,000 for seven NFTs before quickly selling them on the platform for $934,000 in ether.

Suspicious activity has increased in the last day, but the bug has been present for weeks and was first reported in a tweet on January 1.

On Monday morning, the marketplace was used eight times in a roughly eight-hour period. According to blockchain analytics provider Nansen, a wallet address associated with multiple purchases profited $878,288 worth of ether from the exploit.

"The fact that a user could buy at previous prices and flip NFTs without any form of verification points to the current centralization issue in NFTs," Jenna Pilgrim, CEO of blockchain media licensing startup Streambed, told Blockworks.

"OpenSea does an excellent job of creating a solid user interface, but at the expense of security," she added.

According to Elliptic, "jpegdegenlove" later compensated two of their victims, transferring them a total of $75,000 worth of ether.

According to Charles Guillemet, CTO of hardware wallet developer Ledger, it is not safe for NFT holders to have their assets listed on OpenSea at the moment.

"It's very difficult to use this platform securely right now," he said on Monday in a Twitter space. "The only thing we can do is lessen the risk."

OpenSea has yet to publicly address the exploit and has not responded to Blockworks' request for comment.