OpenSea hacked for $780,000

[Kavelj22]

Someone in my local board posted about the incident and i was wonder why no other topics discussing the attempt.

PeckShield company announced in a tweet that the famous platform dedicated for create/exchange NFTs with $3.5 billion in monthly trading volume has been hacked for 332 Eth equivalent to $780,000 by the actual price.
Tweet: https://twitter.com/PeckShieldAlert/status/1485547426467364864

The incident was reported three days ago without any official announcement from the platform. According to this article, this how the incident happened:

A bug in the front end of OpenSea, one of the world’s biggest markets for Non-fungible Tokens (NFTs), is reportedly the cause of the hack, as it allowed users to buy popular NFTs at their previous listing price.

[1715495042]

1715495042

[vv181]

This is frustrating noting those kinds of bugs have already happened since December 2021.

Opensea have officially undisclosed the bug/exploit on their platform on January 26 January: Important updates for listing and delisting your NFTs

What I found ironic is they stated:

Our support team has also been working tirelessly to reach out to affected users and reimburse them until our product experience can make this risk clearer. We understand the community’s frustration that we haven’t been more public in our communication on this topic. Simply put, we were concerned that the more attention we drew to this mechanism, the more it could be abused by bad actors. As a result we focused our efforts on reaching out 1:1 with affected users rather than announcing this news more broadly.

I understand that, the move is pretty plausible, but the bug is already informed since the first known bug getting exploited[1]. Yet they need a month to finally fixed it on the front end side

[1] https://twitter.com/cap10bad/status/1476980294347538435

[dimonstration]

Maybe they are covering the hacking event so that other user will not panic and to hide the exploit point on there system to minimize the damage done to different user. As I understand the situation, The funds affected is from user who's using the opensea so they are just planning to fix this privately before they announce the incident. This is my first time to read this news while I'm always using opensea to list my NFT's and check my listing daily.

Is there any news if all funds will be recover from the hacker?

[hugeblack]

It seems that the platform has contained the matter and paid the amount instead of jeopardizing its reputation. Such events would resonate if it was for many individuals and not for one user.
The problem is that the existence of such vulnerabilities will cause people to believe that the technology has been hacked (ETH blockchain) and not the fault of the platform.

Also, the delay in correcting the bug is not a good indicator, so the average user should not keep the money in the platform for a long time.

Generally, it is good to hide such news for the industry as a whole but it is bad for OpenSea users.

[mardaed]

It seems that the platform has contained the matter and paid the amount instead of jeopardizing its reputation.

By the looks of it, it seems to be the situation, they are indeed hiding the situation. However, with this information coming out now, I think that this will affect OpenSea now. I just hope that they focus more on the quality of their security, in order to assure their users, who will surely panic and be worried upon knowing this incident.

[ryzaadit]

-snip-

No for what?

780,000$ is really small, you can easily to mixer the fund with Tornado Cash.
---

Some people think even myself, this kind of issue is not really "OpenSea"x. The reason is on the blockchain every listing needs a contract transaction, and the user also trying to avoid canceling the listing by transferring to another wallet and transferring back to the original wallet.

Basically, he doesn't want to pay fee transaction ~XD I believe, If he is not the cheapest person who just pay for the cancel listing should be not really getting into the problem.

[crzy]

It seems that the platform has contained the matter and paid the amount instead of jeopardizing its reputation.

By the looks of it, it seems to be the situation, they are indeed hiding the situation. However, with this information coming out now, I think that this will affect OpenSea now. I just hope that they focus more on the quality of their security, in order to assure their users, who will surely panic and be worried upon knowing this incident.

They probably hiding it unfortunately, someone caught them and this is not a small money at all. A decentralized platform where you can buy and sell NFT got hacked and that’s alarming to me. They should have a better security in the first place, and of course we deserve a total disclosure of this incident.

[Silberman]

-snip-

No for what?

780,000$ is really small, you can easily to mixer the fund with Tornado Cash.
---

Some people think even myself, this kind of issue is not really "OpenSea"x. The reason is on the blockchain every listing needs a contract transaction, and the user also trying to avoid canceling the listing by transferring to another wallet and transferring back to the original wallet.

Basically, he doesn't want to pay fee transaction ~XD I believe, If he is not the cheapest person who just pay for the cancel listing should be not really getting into the problem.

A hack is a hack, even if the amount of money that got stolen is on the low side it does not change the fact that someone was able to find a bug big enough to allow them to do something like this, and if it takes so much time to fix something that is so small what is it going to happen the day a hacker finds a huge exploit on their platform? So while the amount is small compared to what we are used to see, it does not change the fact they need to improve their security before an even larger hack happens to them.

[ryzaadit]

-snip-

You should learn to make a difference between hack and bug advantage.

Hack, you are completed hacking the whole platform. This is just a bug advantage because you are not canceling any listing price on the smart contract. Remember, any activity on the blockchain need a smart contract transaction for your activity.
- Listing
- Canceling
- Buy
- Other things.

The buyer is not canceling his listing price of 1,700$, you want to know what he did? he transfer the NFTs to other wallets to avoid spending money for canceling the listing price (That's mean, the victim is also trying to use a bug to avoid gas fee cost unlisting). Because of that, his listing price of 1,700$ is still stored on the smart contract.

Time to learn, If you have an activity on smart contract always canceled via smart contract and next time don't use any kind of loophole to bypass don't want to spend money for canceling. Imagine, you are using a bug opensea to avoid spending gas unlisting price and  you get rekt by the bug it self from what you did (Damn, it's like karma back stabing you).
---
Fun fact, at least the person who did this send 20 ETH to the victim.

[DapanasFruit]

A hack is a hack, even if the amount of money that got stolen is on the low side it does not change the fact that someone was able to find a bug big enough to allow them to do something like this, and if it takes so much time to fix something that is so small what is it going to happen the day a hacker finds a huge exploit on their platform? So while the amount is small compared to what we are used to see, it does not change the fact they need to improve their security before an even larger hack happens to them.

That's the point. There is a serious security problem in the OpenSea platform and this has to be fixed otherwise there can be another hacking to come later on and who knows if it can be more successful than this one. In an expanding and really exciting NFT industry, a huge platform catering to such an industry has to invest more on security as this can really affect the credibility of the whole industry itself.

[jeungo]

I'm not surprised, they draw too much attention to themselves, although initially the site was not designed for such a large amount of money later. For this reason, their defense was most likely also designed for the basic level of attack. When you're making hundreds of thousands of dollars worth of trades, you need to invest in protection.

[hugeblack]

By the looks of it, it seems to be the situation, they are indeed hiding the situation. However, with this information coming out now, I think that this will affect OpenSea now. I just hope that they focus more on the quality of their security, in order to assure their users, who will surely panic and be worried upon knowing this incident.

Lots of platforms have been hacked yet people are still using them as an example in the last year:

 - 2021, December, 2021: BitMart hacked (Obtained access to hot wallet) with $150 million
 - 2021, August 19: Liquid hacked (Obtained access to hot wallet) with $97 million
 - 2020, September 25: KuCoin hacked (Data leak) of $275 million
.
.
.
 - 2018, January 27: CoinCheck hacked (Unknown) with $560 million

Source --> https://www.hedgewithcrypto.com/cryptocurrency-exchange-hacks/

Most of these platforms have several million users who spend millions of dollars.

They probably hiding it unfortunately, someone caught them and this is not a small money at all. A decentralized platform where you can buy and sell NFT got hacked and that’s alarming to me. They should have a better security in the first place, and of course we deserve a total disclosure of this incident.

NFT tokens are a hot topic and such hacks will cause big problems for them especially with the increased competition and with more money flowing in, paying those sums is better than nothing.

[Jating]

Oh, that's really too back to hear that at the start of the year we have a hack already, although the amount is that that huge compare to the other hacks from the past 4 years. Nevertheless people have lost their money due to the inability of the devs to really test their platform and look for loopholes. And now the hackers have found the exploits and we can't do anything about it. And it will tarnished the image of OpenSea with this hacks.

[cryptoaddictchie]

Exploit or a genius?

I think this is the case of a BAYC nft who got sold on its long time bid. Ive been following the story few days back and we cant blame someone who see a loophole on the opensea. Its actually the error of the seller without finishing his sale or cancelling his bid before transferring to other wallet. Now the exploiter see a bright opportunity there and did some magic which should have been avoided if opensea showing any record of uncancelled transactions.

For me its an error of the seller and opensea. But the hacker clearly did not exploit any wrong codes he just probably find a way to buy a cheaper nft compared to current floor price.

[mardaed]

Lots of platforms have been hacked yet people are still using them as an example in the last year:

NFT tokens are a hot topic and such hacks will cause big problems for them especially with the increased competition and with more money flowing in, paying those sums is better than nothing.

While that is indeed true that many platforms have been hacked before, I think that it won’t be prevented that users will be rattled, especially that they were not made aware of such happenings. Although, paying those stolen funds may seem to be a way to salvage the situation, having a full disclosure will be highly appreciated by the users for sure.

[ryzaadit]

-snip-.

Yes, that's why I told only bug advantage and not opensea fault at all.
1. Seller using a loophole to avoid un-listing price listing on opensea by sending by send to other address and sent back to original address
2. The previous listing will be disappear visual on the site, but on the smartcontract still being listing
3. Hacker not change any code, he just using API OpenSea because on there the old listing still can be used
4. Hacket run his own bot.
5. Then, is happened.

The seller use loophole for just don't want to avoid fee and now because the loophole it self back stabing him.

[eaLiTy]

Someone in my local board posted about the incident and i was wonder why no other topics discussing the attempt.

PeckShield company announced in a tweet that the famous platform dedicated for create/exchange NFTs with $3.5 billion in monthly trading volume has been hacked for 332 Eth equivalent to $780,000 by the actual price.

There is not much discussion regarding this even in other crypto related groups and i am involved in a few NFT projects and even i did not notice anyone complaining about the issue as well and i first saw this thread here. I do not see OpenSea making any announcement regarding this issue even though i see another article just like you shared. If users come onboard with the issue, OpenSea will make a statement if it really happened.

[Kavelj22]

Oh, that's really too back to hear that at the start of the year we have a hack already, although the amount is that that huge compare to the other hacks from the past 4 years. Nevertheless people have lost their money due to the inability of the devs to really test their platform and look for loopholes. And now the hackers have found the exploits and we can't do anything about it. And it will tarnished the image of OpenSea with this hacks.

No people didn't lose their money as the amount wasn't that big and can be recovered by OpenSea.
The weird thing is that the issue has been reported after discovering the first loophole back to last December. Devs are not aware that small issues can become a real problem if not treated at the right time.

[cryptoaddictchie]

No people didn't lose their money as the amount wasn't that big and can be recovered by OpenSea.
The weird thing is that the issue has been reported after discovering the first loophole back to last December. Devs are not aware that small issues can become a real problem if not treated at the right time.

They did actually. They supposedly received the current floor of their own nft but due to bug of what they did and opensea lack of feature, they loss tremendous amount of money through a genuus buyer who knows a backdoor with the loophole. I might say this isnt a hacked and scammer cant be dove as scammer. Now everyone with same case must be worried now. If I were opensea I talk to thowe guys and at least gave them some compensation though they also have mistake there.

[jrrsparkles]

Someone in my local board posted about the incident and i was wonder why no other topics discussing the attempt.

PeckShield company announced in a tweet that the famous platform dedicated for create/exchange NFTs with $3.5 billion in monthly trading volume has been hacked for 332 Eth equivalent to $780,000 by the actual price.
Tweet: https://twitter.com/PeckShieldAlert/status/1485547426467364864

The incident was reported three days ago without any official announcement from the platform. According to this article, this how the incident happened:

A bug in the front end of OpenSea, one of the world’s biggest markets for Non-fungible Tokens (NFTs), is reportedly the cause of the hack, as it allowed users to buy popular NFTs at their previous listing price.

I didn't see any other threads as well, is there any announcement or update from the official site? If not then we can't trust that the platform is actually hacked, its not really hacked people took money due to the glitches in their security system.