This week, the NFT marketplace had two major fails as many users were angry over their actions. The first fail came as a major exploit in OpenSea's code was brought into the spotlight after many people started to notice that their NFTs were being sold at significantly low prices. The exploit has allowed exploiters to buy up valuable NFTs for prices well below the floor price and sell them for hundreds of thousands of dollars in profits.
This exploit is not new, as one of the first mentions of this exploit came on January 1, 2021, after Carson Turner noticed that his Bored Ape #2643 was sold at a previous listing. It was mostly unknown how sales like these were being made at the time.Â
It was not until Monday, January 24, the exploit came back into the spotlight after Bored Ape #9991 was sold for 0.77 ETH. It was then that NFT Twitter users started to explain and warn about the exploit. According to Rotem Yakir, the exploit results from a mismatch between the data in NFT smart contracts and the information presented by OpenSea's UI.Â
The mismatch occurs when users list an NFT for sale and "approve" the token for trading on its platform. This makes an on-chain listing making your NFT up for sale. If the NFT is then listed at a new price, a new listing is created on the chain and is presented in the UI. The problem is that OpenSea does not cancel the original listing, leaving upon the blockchain and allowing exploiters to buy these NFTs at the original listing.Â
As a response to mitigate the damages felt by this exploit, OpenSea sent out an email Wednesday telling their users to cancel any old or inactive listing. But this email was seen as another significant fail as it led to more NFT's being sold at old listings.Â
But this email was seen as another major fail as it led to more NFT's being sold at old listings. This was the exact case for Swolfchan; he canceled an old listing of 15 ETH for his Mutant Ape just like the email told him to do. But this cancellation resulted in an exploiter buying the Mutant Ape for an even older listing of 6 ETH.Â
The problem with the OpenSea email is that it leaves users vulnerable to the same exploit that it was trying to prevent. A person who cancels an old listing alerts exploiters that an NFT is being canceled, allowing them to front-run the cancellation and buy at a low price. This is why Twitter user Dingaling says the best way to ensure that the exploit can't happen is by transferring the NFT to another wallet, canceling the old listing, and transferring the NFT to the original wallet. Transferring the NFT to another wallet ensures that the NFT is not bought, exploiter.Â
Pransky further points out that the most important step is ensuring you cancel while the NFT is in another wallet, or else it will trigger an MEV bot to front-run your cancellation transaction.Â
The response from OpenSea has not been good as many users have been left frustrated with the marketplace. To make up for their wrongdoings, OpenSea has reimbursed $1.8 million to some affected people. But, OpenSea still has lots of work to do to regain its users' trust and fix this problem.
