On the early morning of January 24, 2022, the popular non-fungible token (or NFT) marketplace “OpenSea” was subject to the theft of over 1 million USD worth of NFTs[1]. Users of the platform were able to strategically exploit a design flaw within the website, which allowed them to purchase expensive NFTs for significantly lower than what they were listed for on the exchange. These same users then resold their newly purchased NFTs at a substantial profit.
One user (by the username of TBALLER) reported on Twitter[2] that one of their Bored Ape NFT’s was sold to one of the exploiters for 0.77 ETH (~$1800 USD at the time of the attack), which was quickly sold at a profit for 84.2 ETH (~$196,000 USD at the time of the attack) by the exploiter.
So what exactly happened?
Although the transactions of NFTs on OpenSea are recorded on the blockchain and cannot be tampered with, users were still able to purchase NFTs for the incorrect prices. So what gives?
To start, OpenSea actually records transactions differently. Instead of waiting around for blockchain confirmations on the Ethereum network (which could take hours[2]), OpenSea settles the transactions directly on their website even if the transaction on the Ethereum network has not settled (this is often called as an “off-chain transaction). With that, when users on the marketplace list their NFTs and want to change the price to a substantially higher price, they would need to cancel the original listing and relist their NFT again. However, relisting their NFT requires a “gas fee”[3] which can be in the hundreds of dollars, because the old listing must be marked as cancelled on the blockchain. So to combat this, users circumvent the gas fee by transferring their NFT to an extra wallet and back to relist it. However, as mentioned before, the OpenSea website may recognize these new listings, but the old listings on the blockchain are still present because the gas fees were never paid.
This inherent flaw of off-chain transactions is what users exploited. Despite the old transactions being cancelled on OpenSea, they were still active on the blockchain and can be accessed through the OpenSea API. Keen users were then able to use the OpenSea API to purchase numerous amounts of NFTs at extremely reduced prices because typically the old listings of the NFTs had lower prices than the new listings due to the exponential growth in value of NFTs within the past few months.
What can be learned from this?
After the incident has taken the public’s attention, OpenSea has issued a statement where it promises to reimburse those affected by the exploit[4]. This has been the only statement OpenSea has made regarding the exploit at this time.
However, the exploit has been reported as early as January 1, 2022, which can be seen by the tweet below.
It is currently unclear whether OpenSea was aware of such exploits or simply turned a blind eye towards its user base and their complaints regarding the exploits. With that, it is clear to see the importance of taking feedback from your customer base regarding severe issues such as vulnerabilities in your company’s system because one day, it may lead to millions of dollars in losses for your company.
References
[2] https://twitter.com/T_BALLER6/status/1485523314621632514
Great Post !
I want to mention about some concerns about NFT, NFTs are artificially scarce, don’t represent true ownership, threaten the intellectual property rights of content creators, enable counterfeiting and money laundering, and encourage consumptive mining practices.
Thank you for providing references.
Hey Balsher,
Thank you for your feedback! I agree with your thoughts on NFTs, especially in the sense that they threaten intellectual property. It just makes no sense how somebody can take a screenshot of something somebody else made and sell it as their own creation.
This was a really good post! I never really understood how NFTs became so popular, but exploits like this makes NFTs dangerous to the market as a whole. Thanks for raising awareness about this, NFTs seem to be the next big trend for a lot of people, so something like this could very well happen again if a company isn’t more careful and considerate about feedback from the customers.
Hey Jazib,
I totally agree on the sense that NFTs are way too exposed and vulnerable for the amount of value they bring to the internet world. I feel like the technology as of right now seems a bit too premature but I trust that NFTs are just one small step for the future of digital goods.
I learn a lot from this post! NFTs continuously get pushed through social media stars and it’s easy to follow them as “free” investing advice. Your post gives more insight into the risks of NFTs and more info into the blockchain as a whole. It’s very interesting to see what exploits are being discovered and it’s cool that OpenSea is reimbursing those that were affected but as you mentioned the exploit was reported as early as Jan 1, 2022 which means they should’ve took action much sooner.
Hello Karnveer,
Thanks for your comment! There are definitely a lot of risks associated with NFTs as it is still in its infancy stage. However, like I mentioned to Jazib in my other comment — I do feel like NFTs are definitely a step in the right direction for the future of digital goods.
Also I do see that the users were reimbursed for the events, but I feel like it is too late for OpenSea to actually recover their public relations status.
Interesting post!!!
I am so into NFT’s, I do own an NFT(Shiboshi) . I hate using OpenSea their gas fee is so high , one of the OpenSea executives got caught insider trading Nft’s for personal profit.I really felt bad for the dude he was all over Twitter crying . But there were also many other situations where people started creating fake NFT Projects and scamming People .
NFTs are a hot topic right now! It seems like since bitcoin, the media has been talking about how great a decentralized market is. Honestly, I’m really skeptical about it as I don’t 100% understand who is responsible. Your blog post got me thinking about how flaws in the technology of NFTs might impact the value of those NFTs. If they are vulnerable and get hacked, what happens to all the people that invested in it! Guess we’ll have to wait and see..
Hello Charvi,
Yeah I totally understand the whole “blind trust” into NFTs right now because of how new and unprecedented the technology is. As for this attack, I am not quite sure who is responsible either. I feel like since the attacks happened much earlier, those who chose to ignore the outcry of that one twitter user would be at fault. However, there seems to be no evidence that OpenSea was even aware of the issue as early as the first incident.
Is OpenSea the only NFT marketplace that uses off-chain transactions? If not, do you know how other marketplaces prevent similar exploitations?
In your opinion, how do you think OpenSea will prevent future exploitations? Do you think that it will be possible to continue using off-chain transactions in a less vulnerable way?
Very informative article, thanks!
Hey Kathryn,
Thank you for your insights, here’s my attempt at answering your questions.
> Is OpenSea the only NFT marketplace that uses off-chain transactions? If not, do you know how other marketplaces prevent similar exploitations?
I’m actually not too sure about these questions as I am not too familiar with NFT’s and their respective marketplaces. Although as I outlined in my article, I would assume that other marketplaces would put implement an off-chain feature to facilitate quicker transactions.
> In your opinion, how do you think OpenSea will prevent future exploitations?
To be honest, I would think they would make their API less accessible to the public or they would have to completely disable their off-chain mechanism for relisting NFTs.
Very informative article indeed! Yes, of course, flawless technology design and implementation is critical especially when it comes to about anything related finance. It is not uncommon however that while designing the most toughest security-test-cases for systems like this, we often forget the simplest ones that can lead to cause millions of money.
Hello Zaman,
I completely agree with you on the fact that when developing security systems, people often forget the simplest test-cases. I’ve seen time and time again where companies have lost millions over a simple bug in their software. This is why I heavily advocate for white hat hacking as it provides companies another point of view in their security.
Very interesting post.
To me this is not really that surprising but still an amusing loop-hole to be abused. I personally think fault lies entirely with OpenSea as their procedures were not properly tested when implemented. While I appreciate their approach to “off-chain transactions” and I’m sure other users feel similarly, however, I feel the issue is at fault with their implementation. While they may have had unforeseen growth due to the sudden rise in popularity of NFT investments, I feel that OpenSea should have hired/consulted with additional professionals regarding their security. With more than $10 Billion volume worth of trades occurring in 2021 I believe that OpenSea had more than enough resources available and failed to secure the security and trust of their users after this.
Source for the $10 Billion volume of trades in 2021 : https://ca.finance.yahoo.com/news/more-10bn-volume-now-traded-155716114.html
Hey Zach,
I completely agree with your point of OpenSea being neglectful regarding the security of their “off-chain transactions” as they scaled up. However, as I said in my other replies — I am not quite sure on how OpenSea would implement the security features of a blockchain with off-chain transactions. I think OpenSea would either have to completely close off their API system and make it completely private or shut down their off-chain transaction solution and obtain security at the expense of slower transactions.
This was a very interesting post. It’s fascinating how NFT’s have become so popular as of recently. I have heard of many being sold for millions. About 2 months ago an NFT called the merge was sold for 91.8 million dollars. Seeing how these NFT’s are being sold for so much money, it seems that it is very important to make sure that security precautions are taken so that these NFT’s aren’t exploited. This whole OpenSea debacle is the perfect example of that. They definitely should’ve been more vigilant, then this issue would not have occurred. This idea of digital art is very cool, but we have to make sure that we keep that digital art safe and don’t let it be exploited.
Hey Hassan,
I appreciate the comment! I totally agree with your opinion of digital art being cool. It has definitely enabled many gig artists producing digital media. Before NFTs were even a thing, I found that the digital gig industry has been somewhat lacking and I really like seeing these artists finally have a platform to reliable sell their art on. However, as of right now — there seems to be many fraudulent set ups with NFTs so it becomes increasingly hard to distinguish between those legitimately trying to make money and those trying to launder money or make quick buck off naive buyers.
The whole point of doing transactions on the blockchain is their verifiability and security, correct? Would allowing off chain transactions not then defeat essentially the entire point of doing things on the blockchain, since these transactions themselves are vulnerable before things are properly recorded on the ledger?
Hey Eric,
Yeah I agree with the whole idea of doing things off the blockchain defeating the main purpose of a blockchain. However, sometimes the network is too slow and transactions aren’t approved immediately, so off-chain solutions are put up. I guess at the end of the day, it is up to the companies to decide whether or not they want speed or security. In the case of my blog post, OpenSea opted for speed but they faced the consequences of neglecting security.