OpenSea, one of the major NFT markets, has refunded around $1.8 million to users who were affected by the recent theft on its site, despite rising criticism and protests from the crypto community.
On January 24, 2022, some OpenSea customers had their priceless NFTs sold at rock-bottom prices by hackers who took advantage of a hole in the OpenSea listing procedure to buy them at over 98% off and resell them for much more.
The OpenSea “Bug”
The OpenSea hack was the consequence of a weakness in how the network manages asset listings on its platform, according to a report by blockchain analytics firm Elliptic.
The Ethereum blockchain, which is known for its exorbitant gas fees, is used to power OpenSea. As a result, the NFT marketplace executes most of its tasks off-chain until those transactions need to be transferred to the blockchain for settlement, in order to save money on transactions.
NFT vendors on the platform will have to sign off-chain data confirming the amount they desire to sell their NFTs in order to market an item. The problem emerges, however, when sellers decide to cancel the initial listing by sending a message to the blockchain.
The merchants simply transfer the NFT to another wallet to avoid paying gas fees, rendering the initial offer useless because the NFT is no longer on OpenSea.
When the suppliers transfer the assets back to their OpenSea wallets, things become more problematic, especially if the NFT’s value has increased dramatically over time. This is due to the fact that the first listing was not removed from the blockchain, allowing anyone to purchase the NFT at the initial price, which is exactly what the criminals did.
They allegedly uncovered the OpenSea system’s design weakness and used a bot to scan the network for NFTs with low floor pending orders, which they then purchased.
At least five attackers were identified by Elliptic as being involved in the vulnerability, including user “jpegdegenlove”, who made at least 340 Ether worth over $800,000 at current rates as a result of the exploit.
OpenSea Makes Amends
Following the discovery of the vulnerability, OpenSea introduced a new listing manager to the platform, which allows users to monitor both active and inactive listings and cancel inactive ones with a single click.
The NFT marketplace has also begun contacting and compensating affected users. One of the victims of the attack, Robert Garcia, said that his Mutant Ape NFT was sold for 4.7 Ether (about $11,300) on Sunday.
Garcia stated that he immediately emailed OpenSea following the unintended sale, and claimed he received a response from them on Thursday offering him a refund of 13.8 Ether, which is currently worth more than $35,000 at current pricing.