On February 25, OpenSea, a platform for issuing and selling NFTs, upgraded. A day earlier, all users received a request to transfer NFT collections to a new smart contract.
An exploit (from the English verb to exploit, meaning “to use something to one’s own advantage”) is a piece of software, a part of a programming code, or a sequence of commands that takes advantage of a vulnerability in software to lay a cyberattack on a computer system. An attack may be performed to gain control of a computer system (privilege escalation), or disrupt its services (DDoS attack).
In January, OpenSea traders noticed some unusual activity on their accounts where some NFTs were being sold without their approval. OpenSea investigated the situation and discovered that exploiters had found old NFT listings of users with lower prices. The exploiters managed to buy such collections and obtained NFTs for a tiny part of their value.
The exploit resulted in NFT losses at the amount of more than 1 million U.S. dollars with repercussions experienced all over the marketplace. As a result, OpenSea had to reassess the security protocols. The marketplace came up with numerous new methods to prevent such risks in the future. The most important move has been the migration to a new smart contract.
OpenSea says that the contract migration will ensure secure expiry of old, inactive listings. It will also allow users to cancel groups of listings at once and use more descriptive signatures.
To guarantee the safety of the contract migration, OpenSea had to disable certain features. The company explained the situation in their tweet:
“During the contract migration you may not see your migrated listings. Due to this, floor prices may temporarily vary; To protect your listings, no bids or purchases can be made on your migrated items until the migration completes. At this point, your listings will reappear in your Active Listings tab.”
The marketplace has also warned that floor prices may temporarily vary, but the problem would be fixed after the migration.
After the migration was announced last week, some sellers lost their tokens due to phishing. OpenSea claimed that the attacks had not come from the marketplace. 250 NFTs were stolen, and three of them were found by Mintable and returned to the owners. Other NFTs were found on the LooksRare platform.
One of the users was so discouraged by multiple exploits that they filed a lawsuit against OpenSea for one million U.S. dollars. The victim was among the users affected by the exploit where the criminals bought their BAYC (Bored Ape Yacht Club) NFT for only 0.01 ETH ($27).
Users hope that the contract migration will put an end to the endless attacks and exploits. Their anxiety is understandable since OpenSea is the largest NFT platform in the world. In January, OpenSea sold NFTs for a total amount of approximately 5 billion U.S. dollars, and in February, it has already sold 3 billion dollars’ worth of tokens.
Still, this exploit could be the last in the series of OpenSea’s problems.