OpenSea Reimburses Users Who’ve Suffered Losses from NFT Listing Bug, More Exploits Uncovered

OpenSea has reimbursed users who have had their NFT listings sold below market price due to listing bug. Meanwhile, more exploits were uncovered.
Image source: OpenSea

Quick take:

  • OpenSea has reimbursed $1.8 million worth of ETH to users so far.
  • The marketplace has been sending out emails notifying users to cancel listings of NFTs that have been transferred to another wallet.
  • The emails led to further exploitation by frontrunners.

Following OpenSea’s recent listing bug that caused some users to suffer great losses from having their NFTs sold below market price and a new listing manager that was subsequently rolled out, users have discovered that the emails that the marketplace has been sending out led to further exploits by scrapers.

While OpenSea has reimbursed users up to $1.8 million so far, with one user receiving a refund of 13.8 ETH for his Mutant Ape Yacht Club (MAYC) NFT that was accidentally sold for 4.8 ETH, others were still having their previously listed NFTs sold below their intended price. 

This was due to the emails from OpenSea telling users to cancel listings of NFTs that have been transferred to another wallet as the marketplace is unable to cancel listings on behalf of users.

When users went to cancel their listings, the old listings were exposed to people who used a frontrunning bot to scoop up the NFTs listed for a lower price as explained by Twitter user “dingaling”.

This happened to NFT artist and collector “swolfchan.eth” who went to cancel a 15 ETH listing of a MAYC NFT but instead triggered the sale of a previous NFT listing for 6 ETH.

Dingaling explained the mishap, saying: “After receiving the above email from Opensea, Swolfchan went to cancel his “inactive listings”. He started with cancelling the 15E listing, which was successful and confirmed in block 14086214.”

“He then went to cancel the 6E listing, which is where things went very wrong. When cancelling the 6E listing, an “exploiter” saw the cancellation tx waiting in the ETH mempool and executed a sale of the NFT for 6E IN THE SAME BLOCK by frontrunning the cancellation using flashbots rpc. Both txs were in block 14086215,” he continued.

He went on to explain that exploiters can see the NFT listing details on the cancellation transaction in the mempool, and can then execute a transaction to buy the NFT at the original low price. 

To prevent this from happening again, Dingaling is urging users to first transfer their NFTs to another wallet then cancel the old listings before transferring the NFTs back. 

OpenSea has been made aware of the exploits. Replying to Dingaling’s Twitter thread about the issue yesterday, OpenSea co-founder Alex Atallah said: “Fixing this issue is our #1 company priority – we have a team working on it and putting up a countermeasure now.”  

Today, OpenSea updated its guidance on cancelling inactive listings with the same advice Dingaling gave yesterday.

Previous Post

South Korea’s Naver Z Announces $100M Creator Fund for Its Metaverse Project

Next Post

Apple CEO Tim Cook Teases Metaverse Plans, as Shares Spike 5% After Earnings

Related Posts