It was discovered that 100 million yen worth of NFTs were stolen by a bug in the trading platform
Hackers Exploit Bug to 'Steal' $ 1 Million in NFTs from OpenSea Users
https://www.elliptic.co/blog/bug-allows-nfts-worth-over-1-million-to-be-stolen
OpenSea Bug Allows Attackers to Get Massive Discount on Popular NFTs
https://www.coindesk.com/tech/2022/01/24/opensea-bug-allows-attacker-to-get-massive-discount-on-popular-nfts/
For example, the NFT ' Bored Ape Yacht Club # 9111 ' handled by OpenSea was purchased for 0.77ETH (Ethereum) = $ 1760 (about 200,000 yen), and only one hour later, 84.2ETH = about $ 192,400 (about $ 192,400). It was sold for about 22 million yen).
One user named 'jepgdegenlove' and won a bid for seven NFTs for a total of $ 133,000. Immediately after that, it sold for $ 934,000. In addition to trading in the virtual currency Ethereum, it seems that the exchange was done via the tornado cash of the mixing service that prevents the tracking of the blockchain.
Software developer Rotem Yakir explains that some users were able to buy at a clearly lower price than the NFT's selling price because they exploited a bug in the OpenSea specification. .. This bug is caused by the mismatch between the NFT information on the smart contract and the NFT information presented by the OpenSea user interface.
When listing an NFT, OpenSea users set an NFT 'Ask Price' for potential buyers. Due to the nature of smart contracts, if the buyer accepts the selling price, the NFT will automatically become the buyer's property. However, if the NFT owner wants to relist the NFT at a higher selling price, the legitimate method would have to cancel the first listing, which costs a fee. Therefore, some users have taken the method of 'transferring the NFT to another wallet and then returning it to the original wallet' in order to avoid the fee. By doing this, the selling price is removed from the information on the OpenSea front-end display, but since the original selling price remains active on the blockchain, it seems that it could be found through the OpenSea API.
The signature is saved in @opensea's DB off-chain and when someone wants to buy your NFT, they will send to their smart contract your previously signed data where the signature and sale information (such as expiration & price) are validated on- chain before making the transfer 3 / pic.twitter.com/0U74LitOT2
— Rotem Yakir ???? ???? (@yakirrotem) January 24, 2022
According to CoinDesk, a cryptocurrency-related news media, the bug was discovered on December 31, 2021 and was also pointed out on Twitter on January 12, 2022. OpenSea hasn't made it clear whether this bug is a spec defect or the result of a user error, and hasn't commented.
IMPORTANT THREAD!
— Ginotheghost.eth (@GinoTheGhost) January 13, 2022
please RT to spread the word.
there's an OpenSea bug (shocking, i know) in their contract that allows people to exploit old listings and buy NFTs right from under you. Here's a story of what happened today & how you can make sure it doesn't happen to you:
1 /
Related Posts:
in Web Service, Posted by log1i_yk