OpenSea refunds $1.8M ETH to customers who lost NFTs from exploit

OpenSea has now refunded consumers who sold valuable NFTs at substantially below their going market rate due to an exploit involving "inactive listings" for 750 Ethereum ($1.8 million).

OpenSea co-founder Alex Atalla said fixing this problem is the NFT marketplace's first priority.

Several users of the largest NFT marketplace recently reported that their high-end NFTs, such as those from the Bored Ape Yacht Club (BAYC) collection, were bought at previous, low listing prices. Despite the fact that the user interface on OpenSea suggested otherwise, these listings were never canceled on the blockchain.

What caused this to happen? Tech-savvy customers have been funneling money into crypto wallet addresses without disclosing the source, then using those monies to acquire NFTs at previous listing prices via services like Tornado Cash.

This isn't a brand-new exploit. Users must pay a gas price to complete transactions on the Ethereum blockchain, which includes canceling a listing on OpenSea that has not yet expired. Most NFT owners had dormant listings that had no expiration date and hence required manual cancellation via a paid gas price before OpenSea provided configurable expiration periods on ads. Expired listings are acceptable, but inactive listings are unsafe.

Some NFT owners discovered a loophole in order to avoid paying Ethereum gas fees, which may easily run into the hundreds of dollars for a single transaction. The listing on the OpenSea UI vanished if they transferred the NFT to a secondary wallet and then reverted to the initial wallet.

The listing, however, had simply changed from "active" to "inactive." Inactive listings can still be bought by blockchain professionals who deal directly with the smart contracts themselves, rather than through OpenSea's interface.

OpenSea informed some BAYC holders earlier this week that they would be reimbursed some Ethereum for their losses.

On January 26, OpenSea sent an email to NFT holders with idle listings, requesting that they "act promptly to terminate any inactive listings."

The email was "extremely irresponsible on their part and makes things 100x worse," according to NFT collector Dingaling, who claimed in a lengthy Twitter thread that the communication was "incredibly reckless on their part and makes things 100x worse." This makes the exploit considerably easy to carry out."

By simply instructing customers on the OpenSea website to delete dormant listings one by one, exploiters were able to make purchases on additional inactive listings. Swolfchan, for example, maintained his Mutant Ape Yacht Club Ape in his main wallet and canceled a 15 ETH inactive listing. They planned to cancel a 6 ETH listing after that.

However, an exploiter purchased their Ape for the 6 ETH price in the time it took Swolfchan to cancel the first inactive listing and go on to the second.

They would have been safe if Swolfchan had transferred the Ape to another wallet, canceled all the postings, and then moved the Ape back to the primary wallet, according to Dingaling. However, these instructions did not appear to be included in OpenSea's initial email.

"Fixing this issue is our #1 company priority," OpenSea co-founder Alex Atallah told Dingaling on January 27. We have a team working on it right now, and we're putting a countermeasure in place."

Ledger CTO Charles Guillemet provides a few suggestions for those solutions.

He said, "It could have been avoided with an alternative design.” The UI on OpenSea, according to Guillemet, should have been more user-friendly. He stated, "Transferring the NFT should not remove the sell order from the UI."