😱 OpenSea, wtf?
An OpenSea bug is encouraging sale of popular NFTs at discounts.
Hey 👋
Hope you’re having a great week.
Welcome to the mesha tribe—a biweekly newsletter by mesha, an exclusive social community that lets you chat with friends, discover stocks and participate in challenges all on one platform.
Sounds good? Sign up below 👇
Awesome. Let’s go!
The Big Story
Winter is here, and investors are feeling the chill as the entire crypto market erases $1.5 trillion in market cap. But while that's happening, some savvy opportunities have found a way to make millions.
And it's all because of a bug.
No, not him, a digital one.
Hackers on OpenSea are taking advantage of a bug that allows them to purchase NFTs from traders at lower prices. According to blockchain analytics firm Elliptic, which first reported the incident, more than three hackers bought around eight NFTs at well below market value. So far, they have made more than $1 million by exploiting this bug and purchasing some of the rare NFTs, including Cool Cats, Cyberkongz NFTs, Bored Ape Yacht Club, and Mutant Ape Yacht Club.
How did they do it?
Well, it appears that these hackers took advantage of how OpenSea manages its active listings. While the issue first emerged on Twitter on Jan 2, after a user complained about his forced NFT sale, CoinDesk reported that it had existed since Dec 31.
Basically, here's what's happening: When users want to sell their NFTs, they set a 'list price' for potential buyers to view. Since NFTs are minted through smart contracts, the ownership is automatically transferred to anyone who accepts the list price. If they want to re-list for a higher price, they have to cancel the first listing and delist the NFT by paying the gas fees, which can run in hundreds or even thousands of dollars. To avoid paying these transaction costs, some users have simply transferred their NFTs to other wallets and then back to their original wallets.
While this does remove the listing from OpenSea's user interface, the original listing—and its old list price—still remains active and accessible on the platform’s APIs. This mismatch between NFT smart contracts and OpenSea's front end is what the hackers are manipulating. Read more about it in the thread below.
Hack or Bug?
While the jury’s still out on this, here’s what Elliptic founder Tom Robinson said -
“I think a lot of responsibility is being placed on the user to understand how these systems operate. There’s a tension here between whether the responsibility really is on the user or whether some of that responsibility should be on marketplaces such as OpenSea to protect users from these types of exploits.”
OpenSea's spokesperson also told Bloomberg that the platform can't cancel listings on users' behalf, adding that they're working on making users more aware of their listings. The platform is actively reaching out and reimbursing users affected by the issue.
Regardless, the incident has sparked security concerns in the crypto community as it appears users have little to no recourse except depending on the goodwill. While crypto wallets are usually anonymous, hackers can be identified only if they use an exchange to cash out into fiat currency. But there's a way to bypass this using a mixing service like Tornado Cash that prevent blockchain tracing of funds—which is exactly what one of the hackers did.
Considering that all this is happening on the largest and most trusted market for such digital assets that recently received an astonishing $13.3 billion valuation in new funding round, has led investors and creators to pause and consider alternative options.
Share what you learn 🤝
You made it till the end!
If you found this newsletter insightful, share it with your friends and colleagues and let us know what you think. Once again, thank you for reading.
We, at Mesha, believe in democratizing finance. Join us and be a part of a community that helps you to take your net worth #ToTheMoon🚀