- OpenSea has reimbursed $1.8 million worth of ETH to users so far.
- The marketplace has been sending out emails notifying users to cancel listings of NFTs that have been transferred to another wallet.
- The emails led to further exploitation by frontrunners.
Following OpenSea’s recent listing bug that caused some users to suffer great losses from having their NFTs sold below market price and a new listing manager that was subsequently rolled out, users have discovered that the emails that the marketplace has been sending out led to further exploits by scrapers.
While OpenSea has reimbursed users up to $1.8 million so far, with one user receiving a refund of 13.8 ETH for his Mutant Ape Yacht Club (MAYC) NFT that was accidentally sold for 4.8 ETH, others were still having their previously listed NFTs sold below their intended price.
This was due to the emails from OpenSea telling users to cancel listings of NFTs that have been transferred to another wallet as the marketplace is unable to cancel listings on behalf of users.
When users went to cancel their listings, the old listings were exposed to people who used a frontrunning bot to scoop up the NFTs listed for a lower price as explained by Twitter user “dingaling”.
This happened to NFT artist and collector “swolfchan.eth” who went to cancel a 15 ETH listing of a MAYC NFT but instead triggered the sale of a previous NFT listing for 6 ETH.
Dingaling explained the mishap, saying: “After receiving the above email from Opensea, Swolfchan went to cancel his “inactive listings”. He started with cancelling the 15E listing, which was successful and confirmed in block 14086214.”
“He then went to cancel the 6E listing, which is where things went very wrong. When cancelling the 6E listing, an “exploiter” saw the cancellation tx waiting in the ETH mempool and executed a sale of the NFT for 6E IN THE SAME BLOCK by frontrunning the cancellation using flashbots rpc. Both txs were in block 14086215,” he continued.
He went on to explain that exploiters can see the NFT listing details on the cancellation transaction in the mempool, and can then execute a transaction to buy the NFT at the original low price.
1/ WARNING: DO NOT CANCEL YOUR OS LISTINGS AS STATED IN THE EMAIL THAT OPENSEA JUST SENT OUT🚨🚨— dingaling (@dingalingts) January 27, 2022
Please FIRST transfer your NFT to a different address and cancel the listing/s on the original address BEFORE sending it back
OS just put everyone at even more risk than before🧵
To prevent this from happening again, Dingaling is urging users to first transfer their NFTs to another wallet then cancel the old listings before transferring the NFTs back.
OpenSea has been made aware of the exploits. Replying to Dingaling’s Twitter thread about the issue yesterday, OpenSea co-founder Alex Atallah said: “Fixing this issue is our #1 company priority – we have a team working on it and putting up a countermeasure now.”
Today, OpenSea updated its guidance on cancelling inactive listings with the same advice Dingaling gave yesterday.