According to blockchain analytics firm Elliptic, a bug in the largest NFT marketplace, OpenSea, allowed burglars to purchase at least US$1 million (A$1.4 million) worth of NFTs across multiple wallets for significantly below market price.
A non-fungible token (NFT) is a type of crypto asset that tracks the ownership of digital files on the blockchain.
With US$4.8 billion in sales volume so far in January, OpenSea is the largest marketplace for speculators and enthusiasts to trade their NFTs.
However, a flaw in the marketplace allowed users to purchase certain NFTs at prices that they had previously been listed for, without the owner realizing that they were still for sale.
A request for comment from OpenSea was not immediately responded to.
“The exploit appears to come from the fact that it was previously possible to re-list an NFT at a new price, without cancelling the previous listing,” said Tom Robinson, chief scientist and co-founder at Elliptic.
“Those old listings are now being used to buy NFTs at prices specified in the past – often well below current market prices.”
On Monday, for example, an NFT of a cartoon ape from the Bored Ape Yacht Club collection, Bored Ape #9991, was purchased for 0.77 ether (approximately US$1747), despite the fact that such NFTs typically sell for hundreds of thousands of dollars.
Yuga Labs’ Bored Ape Yacht Club is a collection of 10,000 algorithmically generated cartoon ape NFTs.
According to blockchain records seen on OpenSea, around 20 minutes after buying Bored Ape #9991 for 0.77 ether, it was sold for 84.2 ether (around US$189,040), giving the buyer a profit of more than US$187,000.
Elliptic’s Robinson stated that he had identified eight NFTs stolen in this manner thus far, from eight different wallets and by three attacker wallets.
According to Robinson, one person paid a total of US$133,000 for seven NFTs by exploiting the bug, before quickly selling them on for US$934,000.
He pointed out that, while crypto wallets are typically anonymous, the attackers could be identified if they use an exchange to cash out into fiat currency.
As celebrities, investors, and top brands flock to the NFT market, where sales volumes and prices of some sought-after NFTs have skyrocketed, the OpenSea bug may cause some buyers to reconsider.
OpenSea was founded in 2017 and was recently valued at $13.3 billion in its most recent round of venture capital.
Elliptic data shows that hacks have stolen US$2 billion from users of decentralized finance (DeFi) since 2020.
“It’s not common to see marketplace-wide exploits. We do see individual users being hacked and having their NFTs stolen, for example through phishing attacks, but it’s not common to see something that potentially affects the entire marketplace,” Robinson added.