According to blockchain analytics company Elliptic, the exploit is speculated to originate from the ability to relist an NFT at a new price, without cancelling the original listing. It added that the previous listings are now being used to purchase the bugged NFTs at prices that were specified at some point in the past, which is well below current market prices. NFT owners have actually acknowledged the existence of the OpenSea bug since the beginning of the year, but had received no response from the marketplace. Things only took a huge turn for the worst on 24 January 2022, where attackers have been reported to utilise the exploit multiple times within 12 hours to nab several NFTs with market values of over US$1 million at only four-figure prices. One of these is a token for an artwork from the popular Bored Ape Yacht Club collection, which was bought by a hacker at 0.77 ETH (~RM 7,810) and then later resold to another buyer for a hefty profit of 84.2 ETH (~RM 854,127). Elliptic added that the culprit, known by the pseudonym “jpegdegenlove” on OpenSea, sent the newly earned ether through Tornado Cash: a “mixing” service that is used to prevent blockchain tracing of funds. At the time of writing, the hacker’s account now no longer exists on the marketplace.
— TBALLER.eth (@T_BALLER6) January 24, 2022 OpenSea has yet to officially acknowledge the exploit, and did not respond to any inquiries related to the issue. Additionally, it is not known whether the marketplace plans to take any form of action towards the attackers, or provide compensation to the original owners. (Source: Reuters / Elliptic)