The world’s largest marketplace for trading non-fungible tokens (NFTs), OpenSea has reportedly suffered a front-end attack resulting in the loss of 332 ETH ($800k). The attack was first noted by blockchain security firm PeckShield and was initiated within four hours of press time.
It appears that @opensea has a front-end issue and the exploiter gained about 332 Ether. https://t.co/35kCB1n7nv
— PeckShieldAlert (@PeckShieldAlert) January 24, 2022
Blockchain data reveals that the wallet used to execute the attack received 10 ETH from an anonymous wallet service, TornadoCash. Next, the received ETH was wrapped to wETH to be used for the attack on OpenSea which netted the hacker 332 ETH.
The attacker gained unauthorized access to NFTs belonging to the Mutant Ape Yacht Club, Bored Ape Yacht club, and Cool Cats collections. The NFTs were immediately sold to net profits for the hackers, with the funds still held in the wallet address at the time of writing.
Many users on Twitter have confirmed losing their NFTs to the OpenSea front-end breach, including user TBaller.eth whose Bored Ape Yacht club NFT sold for just 0.77 ETH, significantly lower than the 86 ETH floor price.
Here’s a laundry list of stolen @BoredApeYC, @coolcatsnft and more that the thief is actively stealing right now due to the @opensea exploit. I feel bad for all these people. pic.twitter.com/msl6bCYMfO
— Hustler (@0xHustler) January 24, 2022
OpenSea revealed in a subsequent announcement that it was already aware of the UI bug. “Listings made a long time ago are resurfacing when items are transferred back into lister’s wallets,” OpenSea said. The bug resulted in assets being sold for prices that the owner had listed them for in the past, even though the buyer had stipulated new prices for their NFTs.
OpenSea has released a “new listings manager” to resolve the vulnerability and is also reportedly reaching out to affected users to reimburse the stolen funds.
