For the OpenSea platform, 2021 ended with the discovery of a vulnerability that allows fraudsters to buy NFTs cheaply. A few weeks later, token holders began to suffer huge losses.
What we know
The problem became known on December 31, 2021, but the vulnerability began to be actively exploited only recently. Elliptic stated that from January 23 to 24, 2022, within 12 hours, scammers purchased eight non-fungible tokens with a market price of over $1,000,000.
At the same time, much less was spent on NFTs. For example, an image from the well-known Bored Ape Yacht Club collection was bought for $1,760, after which the token was sold for $192,400. Thus, the scammer earned more than $190,000 on one picture. Accordingly, the NFT owner lost the same amount. The attacker sold a total of 400 Ethereum or $900,000 worth of tokens within 12 hours.
The vulnerability lies in the fact that the information from smart contracts does not match the data specified in the user interface of the OpenSea platform. Thus, scammers use old smart contracts that are stored on the blockchain to buy tokens.
As we wrote, the vulnerability first became known on December 31, 2021. Two weeks later, an entry was published that details the procedure for buying NFTs using old smart contracts. So far, OpenSea has not commented on the situation.
A source: The Verge