Critical vulnerability in OpenSea NFT platform allowed hackers to steal millions of dollars

Cybersecurity specialists report that a way has been found to exploit the front-end of OpenSea, the most popular non-fungible token (NFT) sales platform of the moment. Apparently, the purpose of the threat actors is to attack the owners of the popular Bored Ape Yacht Club NFT collection.

This incident was reported by the security firm PeckShield, which has an automated alert system for the detection of security threats. According to the report, the attack generated losses of about $750,000 USD on Ethereum, although the figure could vary.

In a separate report, a user revealed that the flaw would have made it possible to buy tokens at lower prices, registered on OpenSea a few weeks or months ago. This report also notes that the attack specifically targets the owners of NFTs Bored Ape.

The user mentions that a previous error would have affected OpenSea users, who were charged with commissions when they wanted to remove an NFT from the list of products for sale. Since this is an expense that sellers did not wish to make, they found that the solution was to transfer the NFT to another wallet, thus canceling the purchase.

This complicated things because the item does not display the list in the operating system, but, in fact, it is still active through the operating system API. The fastest way to view these old listings is in Rarible, which uses the operating system API to display and comply with operating system listings.

OpenSea is already aware of these reports and has requested its position on the matter. However, at the time of writing the company had not issued an official message.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.