Developers are investigating an exploit that steals NFTs from OpenSea users

Last month, the media reported that unidentified hackers were stealing NFTs from users of the OpenSea marketplace. Then the researchers reported that the problem was related to a bug and re-listing of NFTs for sale. For example, users can put an NFT up for sale, and then cancel the listing, update it, and list the lot at the new price.

As a result, hackers “bought” valuable NFTs at bargain prices with the help of a bug, and then resold them for much more. For example, in one case, a scammer bought an NFT for $1,775 and then immediately resold it for almost $200,000.

As Vice Motherboard now reports, the administration of OpenSea returned the money to many users, but some received full compensation, while others were offered to compensate only 2.5% of the site commission received from the sale of NFTs. According to journalists, over the past ten days, OpenSea has reimbursed the victims about $1 million.

It remains unclear what the company’s criteria are for redressing damages, and why the situations of different people are so different. OpenSea said it does not comment on specific cases related to customer support.

Worse, attacks on users are still ongoing, and now a warning flaunts on the main page of the marketplace that reads:

Also, users are advised to switch to a new smart contract, which eliminates the same problem with old, but still available ads. Since the bug seems to have been fixed, some users are suggesting that attackers are now facilitating phishing attacks by luring victims to a page that is supposedly related to switching to a new smart contract.

According to Vice Motherboard, scammers have now been able to transfer many NFTs from different users to their address. Among other things, NFTs were stolen from such popular collections as Bored Ape Yacht Club and Mutant Ape Yacht Club.

The attackers have already sold part of the NFT: for example, an item from the Azuki collection went for 13.4 ETH ($36,380 at the time of sale). As a result, the hackers’ wallet already contains more than 600 ETH, that is, almost $2 million.

Let me remind you that we also reported that NFTs may reveal users’ IP addresses.

You may also be interested in the information that Exploit appeared for a critical vulnerability in Magento, and Adobe fixed a second similar bug.