Blockchain analytics firm Elliptic wrote in a blog post on Monday that hackers used the glitch to “steal” $1 million USD from OpenSea sellers. The company said it identified at least three attackers who purchased eight NFTs or more — including Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz NFTs — for way less than their current market value.
A screenshot posted by Elliptic shows that one user by the name of jpegdegenlove purchased Bored Ape #9991 for 0.77 ETH (about $1,800) at around 7 a.m. before flipping it for 84.2 ETH (about $196,000 USD) moments later, making about $194,000 USD in profit. The same user is said to have spent $133,000 USD for seven NFTs overall, which were then flipped for $934,000 USD.
Yooo guys! Idk what just happened by why did my ape just sell for .77?????
— TBALLER.eth (@T_BALLER6) January 24, 2022
According to Elliptic, another attacker bought a Mutant Ape Yacht Club NFT for $10,600 USD and sold it hours later for $34,800 USD.
The exploit was first noticed in December and appears to be related to a feature that allows OpenSea users to re-list an asset without canceling the first listing. OpenSea tweeted on Monday night that it had patched the issue by creating a new listings manager.
“What’s going on: Listings made a long time ago are resurfacing when items transfer back into lister’s wallets,” the platform tweeted. “What we did: We can’t cancel these orders for listers, so to fix the problem, we launched a new listings manager today.”
What’s going on:
Listings made a long time ago are resurfacing when items transfer back into lister’s wallets.
— OpenSea (@opensea) January 24, 2022