The world’s largest NFT marketplace – OpenSea, just got hit with another design flaw – this time allowing buyers in an ongoing auction buy rare NFTs for earlier auction prices.  One analyst ripped the $13.3 billion OpenSea for its security failing:

It’s worth noting that this problem arose as a result of the intended design of OpenSea, a centralized service that uses decentralized coins. It’s difficult to classify this as a hack or even a bug. OpenSea informs consumers that this is how its service works, which has resulted in numerous scams. The OpenSea bug shows that it is a sloppy marketplace, and if users aren’t cautious to follow proper practices, they may be exploited by more savvy users.  Whether the OpenSea bug is being treated as an open security flaw or a result of user error is currently unclear.

The CTO of Ledger had even more harsh words for OpenSea in a now-deleted tweet – suggesting that it is currently not safe for NFT holders to have their assets listed on OpenSea: “It’s very difficult to use this platform securely right now.”  

Despite being an exploit that has existed for well over a month, the actual mechanism for this switch remains unknown – with rumors pointing to a flaw in the API used by OpenSea and Rarible.  One analyst speculated “that an API exploit between Rarible and OpenSea was involved, allowing it to buy these #NFTs at a much lower price.” 

While the exact cause of the vulnerability is not yet known, it may ultimately derive from the fact that OpenSea requires a gas fee to remove a listing.  As a gas fee workaround, certain users transferred their NFTs to another wallet without cancelling the original listing.  This avoided paying any gas fees but left the original listing technically still open. 

After some time elapsed, owners would transfer the NFT back to the original wallet and list again.  That’s when the exploit comes into play.  If there is another auction using the original wallet’s address someone could possibly obtain the NFT using a bid that is based on an earlier offer – in essence, buying the NFT for a fraction of its true current value. 

Potentially feeling some pangs of guilt, the latest “exploiter” of this vulnerability took profits and “sent 20Ξ to @T_BALLER6  and 13Ξ to VirtualToast, two of the people he originally took #NFTs from.”  The public name tag of this person is “OpenSea Opportunistic Buyer” – just in case anyone had any doubts as to their good intentions. 

To date, neither Rarible nor OpenSea have publicly stated anything regarding this “exploit”.   

UPDATE:  January 25, 2022

An OpenSea spokesperson said in a private statement provided to a friendly crypto news outlet that the company has been “actively reaching and reimbursing affected users,” and is taking the matter “incredibly seriously.” The spokesperson apparently did not inform the news outlet exactly how much users have been reimbursed.

OpenSea said it’s been quiet on the issue to avoid notifying “bad actors who could abuse it at scale” before patching the problem. It’s apparently working on product improvements, including a new dashboard that shows all active listings, to address the issue.

Moreover, OpenSea suggested that this loss was caused by a “loophole” and was not an exploit or a bug – “it was an UI issue caused when a user creates a listing, then transfers the NFT to a different wallet to avoid the gas fee that comes with nixing a listing.”  In other words, it was as presumed by those looking at what originally took place.

OpenSea also said in its private statement that it is changing the default listing duration for NFTs from six months to one month, so that if an NFT is transferred back into a wallet after the new time frame the listing will have expired.

It goes without saying that a $13.3 billion company having such a large share of a nascent market should not disclose on a piecemeal basis its security and design failings – either wait until the coast is clear or open the spigots to everyone who can ask meaningful questions.