Pending Order Vulnerability on Opensea was Exploited, Posing a Loss of Millions of Dollars

【TL; DR】

1. On January 24, 2022, Opensea, the world's largest NFT trading platform, was hacked, resulting in a loss of nearly $1 million.
2. There is a pending order vulnerability in the front end of OpenSea, and the pending order that has not been canceled on the chain still exists. If a user transfers out of NFT without paying gas fee and canceling the pending order, he/she will encounter asset risk when transferring back to NFT to an OpenSea account.
3. According to OpenSea's official data provided on Thursday, OpenSea has compensated 750 ETHs for a total of 130 wallet owners.
4. In addition to the losses caused by hacker hacks, OpenSea recently caused community dissatisfaction due to its preparation for listing.

On January 24, 2022, Opensea, the world's largest NFT trading platform, was hacked, resulting in a loss of nearly $1 million.

When the incident occurred, many users found that their NFT was bought at a very low price and quickly resold at a high price. For example, it is well known that the lowest selling price of Bored Apes is $198,000. However, a user's Bored Apes were bought for $1800 and sold for $196,000 20 minutes later. Obviously, the hacker took advantage of the vulnerability of Opensea platform to buy low and sell others' NFT high to earn a high price difference. NFT assets that are bought low and sold high include Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz NFTs. For example, the vulnerability was exploited by hackers at around 7:00 on the 25th, so that Bored Ape Yacht Club NFT #9991 was purchased at a very low price of 0.77ETH and then sold again at a normal price of 84.2ETH.


In addition to OpenSea, Rarible, another mainstream NFT trading market, has also been hacked in the same form. It is reported that the reason why the two NFT markets are similarly hacked is that Rarible also uses an API from OpenSea to launch NFT. There are loopholes in this API, which makes the pending order abnormal.

In the case of normal listing, the signature information when selling NFT will be temporarily stored on the OpenSea server. This data can be accessed through API and will be invalidated after the transaction is normally completed. However, due to loopholes in the mechanism, the pending order that has completed the transaction on OpenSea may still be active. Once the NFT buyer turns the NFT back to OpenSea, this will be exploited by hackers to buy NFT with the original offer. Since the previous quotation was generated when the NFT price was still very low, hackers were able to buy NFT at an ultra-low price and sell it quickly at the market price.


When the incident occurred, a number of users with damaged interests anxiously sought help on social media. The following figure is the original owner of the Bored Ape Yacht Club NFT #9991 mentioned above. In addition, many users said that their NFT was bought at an expired price.

When users decide to cancel the pending orders, the pending orders will disappear only when users decide to cancel the pending orders. If users only transfer NFTs to other wallets without actually canceling the pending orders (to avoid gas fee), the original undeleted pending orders may be exploited when they transfer NFT back to OpenSea.

After the incident, a twitter user nicknamed "bor4edape93" posted a screenshot, saying that he had discovered the vulnerability in June 2021 and reported it to the OpenSea officials. However, Opensea obviously did not pay attention to this issue and did not deal with the vulnerability, which eventually led to the hacker incident. According to Opensea trading information, the account ID of a suspected hacker is "jpegdegenlove", which made more than $800,000 in this way in a few hours. At present, the account home page has been inaccessible.

As previously NFT holders were not aware of the existence of this vulnerability, once they transferred the previously purchased NFT back to OpenSea, their assets would be at risk. According to the news on January 28, OpenSea officials have contacted users who have not canceled their old orders by email to remind them to cancel their original orders on the chain. In addition, OpenSea has compensated 750ETHs for a total of 130 wallet owners, according to data provided by OpenSea officials on Thursday.


Opensea, founded in 2017, is the largest NFT trading market in the world. Users can cast NFT on OpenSea, trade and auction NFT works. In this NFT trading market, there are many kinds of NFTs that can be traded, such as digital art, collectibles, game items, domain names and even digital forms of physical assets. In essence, OpenSea is the NFT version of Taobao. On Taobao, people buy all kinds of physical goods, while on OpenSea, people trade different types of digital assets. As the NFT industry has attracted much attention again and again this year due to encrypted works of art, encrypted avatars and virtual real estate, the number of Opensea users is also rising. At present, the number of monthly active users of Opensea has reached 200,000.

However, in addition to the losses caused by hacker hacks, Opensea also encountered many other disputes recently. On December 6 last year, Brian Roberts, the new CFO of OpenSea, revealed that the company was actively promoting the IPO. This behavior is regarded by the encryption community as a betrayal of their users. Encryption fans support the rapid growth of the platform. They hope that OpenSea can distribute governance tokens through airdrop, just like Ethereum domain name service ENS and Rarible, another NFT trading platform.

In order to protest against OpenSea, the community launched OpenDAO on December 24 and will air drop the governance token SOS to all users who have interacted with OpenSea. The number of air drops is related to the degree of users using OpenSea. The total circulation of SOS tokens is 100 trillion, of which 50% will be used for airdrop, 20% for staking reward, 10% for user liquidity mining reward, and 20% for user Dao daily maintenance.

On December 26, OpenSea officials also responded. On the one hand, although OpenSea officials had nothing to do with SOS token airdrop, OpenSea affirmed the contribution of the community; On the other hand, due to the unofficial background of SOS tokens, OpenSea also reminds users of the risks related to SOS tokens.


Author: Gate.io Observer: Edward.H
Disclaimer:
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.


Gate.io Featured Articles of the Week
Analysis of the SQUID Game Contract Vulnerability - Risk Remains High
DeFi hacking incidents in 2021
Looksrare NFT Marketplace Competes with OpenSea