NFT marketplace OpenSea has reimbursed about $1.8 million to users who had their blue-chip non-fungible tokens (NFTs) snatched up and resold for far below the market value on Monday.
According to data provided by OpenSea, the platform reimbursed a total of 750 Ether for 130 wallet addresses. The move comes after at least three attackers purchased more than eight NFTs worth over $1 million for much less than their market value.
The stolen NFTs in question were from collections like BAYC, Mutant Ape Yacht Club, Cool Cats, and CyberKongz. One user who goes by ‘jpegdegenlove’ even paid roughly $133,000 for seven NFTs, three of which were from the Bored Ape Yacht Club collection before selling them for $934,000 of ether.
Blockchain analytics firm Elliptic reported that the exploit came from the ability to re-list an NFT at a new price, without canceling the previous listing, adding ‘Those previous listings are now being used to purchase NFTs at prices specified at some point in the past which is often well below current market prices.’
UI Issue, Not a Bug
Sellers who wish to cancel their listings on NFT platforms have to pay transaction or ‘gas’ fees. A way to circumvent the fees is to move the items to a different wallet.
OpenSea highlights that the loophole was not an exploit or a bug, but rather a UI issue that arises when a user creates a listing, then transfers the NFT to a different wallet typically to avoid the gas fee.
Additionally, the platform is changing the default listing duration for NFTs from six months to one month, so that if an NFT is transferred back into a wallet after the new time frame the listing will have expired. The platform even added a ‘Listings’ tab on users’ profiles that allows them to review both active and inactive listings of their NFT items.