Recently, several users of the leading › marketplace had complained that their blue chip NFTs, such as those belonging to the Bored Ape Yacht Club (BAYC) collection, had been purchased at old, cheap listing prices. These listings were never canceled on the blockchain, even though the user interface on OpenSea suggested that they had been.
How did this happen? Tech-savvy buyers have been using services like Tornado Cash to funnel money into crypto wallet addresses without disclosing the source and using those funds to buy NFTs at old listing prices.
This exploit isn’t new. The blockchain requires users to pay a gas fee to execute transactions, including canceling a listing on OpenSea that has not yet expired. But before OpenSea implemented selectable expiration dates on listings, many NFT holders had inactive listings that had no expiration date and thus required manual cancellation via a paid gas fee. Expired listings are fine, but inactive listings pose a risk.
In an effort to avoid paying Ethereum gas fees, which can often run into the hundreds of dollars for a single transaction, some NFT owners found a loophole. If they transferred the NFT to a secondary wallet, and then back to the first wallet, the listing vanished on the OpenSea UI.
But in reality, the listing had simply gone from “active” to “inactive.” And inactive listings can still be purchased by blockchain experts who interact directly with the smart contracts themselves, not OpenSea’s UI.
In response, OpenSea rolled out an “inactive listings” feature on its desktop site on January 24. They did not respond to Decrypt’s previous request for comment.
Some BAYC holders were told by OpenSea earlier this week that they would be refunded some Ethereum for their loss. Tballer, who lost Ape #9991 for 0.77 ETH (about $1,700), told Decrypt on January 25 that he felt he got a “rather slow response” from OpenSea but was “happy they got back to me.”
“The [NFT] community helped me through this,” Tballer told Decrypt. “The night it happened I was pretty close to going home and selling everything.”
Tballer’s Ape now appears to belong to Juan Fdez, who purchased two of the Apes that were inadvertently sold. Fdez also holds BAYC #8924, which had been swiped for 6.66 ETH (about $17,000). Fdez did not respond to Decrypt’s request for comment.
If Tballer wants his Ape back, he’ll have to pay 130 ETH ($330,000).
On January 26, OpenSea sent out an email to NFT owners with inactive listings telling them to “please act urgently to cancel any inactive listings.”
These instructions sparked some concerns, as NFT collector Dingaling argued in a lengthy Twitter thread that the email was “incredibly irresponsible on their part and makes things 100x worse. This actually makes the exploit much easier to execute.”
1/ WARNING: DO NOT CANCEL YOUR OS LISTINGS AS STATED IN THE EMAIL THAT OPENSEA JUST SENT OUT🚨🚨
Please FIRST transfer your NFT to a different address and cancel the listing/s on the original address BEFORE sending it back
OS just put everyone at even more risk than before🧵
— dingaling (@dingalingts) January 27, 2022
By simply telling users to cancel inactive listings one by one on the OpenSea website, it actually allowed exploiters to execute purchases on other inactive listings. For example, Mutant Ape Yacht Club holder Swolfchan kept their Ape in their main wallet and canceled a 15 ETH inactive listing. After that, they planned to cancel a 6 ETH listing.
But in between the time it took Swolfchan to cancel the first inactive listing and move onto the second, an exploiter purchased their Ape for the 6 ETH price.
Dingaling explained that if Swolfchan transferred the Ape to another wallet, then canceled all the listings, then moved the Ape back to the main wallet, they would have been safe. But OpenSea did not appear to provide these instructions in its initial email.
OpenSea co-founder Alex Atallah told Dingaling on January 27 that “fixing this issue is our #1 company priority. We have a team working on it and putting up a countermeasure now.”
As for what those solutions could be, Ledger CTO Charles Guillemet has a few ideas: “A different design could have avoided such an issue,” he told Decrypt. Guillemet argues that the UI on OpenSea should have been clearer for users. “Transferring the NFT shouldn’t remove the sell order from the UI,” he said.