Second bug in 24 hours found in the OpenSea platform
The victims reported a loss of over $1m
A second bug found in under 24 hours in the OpenSea marketplace has enabled users to buy NFTs worth millions for just a few thousand dollars.
OpenSea, the world’s largest NFT platform, has not confirmed reports, but victims are already acting to recover their losses.
Once again, the exploiters targeted the Bored Ape Yacht Club NFT collection, with some Apes being purchased for just a few dollars and immediately resold for less than their market value, earning the exploiter hundreds of thousands of dollars.
The bug
As DApp store DappRadar explained, a flaw in the marketplace allowed users to buy certain NFTs at the price at which they had been listed in the past, without the owner realising they were still on sale.
“The bug allowed attackers to purchase at least $1m worth of NFTs across multiple wallets for significantly below market price,” DappRadar said.
“The bug allowed the trader to get their hands on the BAYC NFT, with a floor price of around $220,000 for under $2,000. Of course, the lucky buyer then put the NFT back on sale at ETH84.2, or approximately $200,000. Within minutes the item sold, and the investor pocketed around $197,000 in profit after fees.
OpenSea Bug Bounty Program
The OpenSea platform recently set up a scheme offering rewards in exchange for reporting vulnerabilities.
Since the launch of the programme in May 2020, the platform has resolved more than 25 such issues.
The bounties range between $500 and $50,000, depending on the severity of the vulnerability and its impact, with the possibility of a higher bounty at the discretion of the OpenSea team.
“Engagement has been tremendous – and since May of 2020, we’ve resolved and paid bounty for more than 25 proven vulnerability reports,” Alex Atallah, co-founder of OpenSea, said.
“Since its launch, OpenSea’s Bug Bounty Program has allowed us to quickly address vulnerabilities, improve our defences and help keep our platform secure alongside our own teams’ efforts.”
NFTs and scams
According to Chainalysis, cryptocurrency-based crime hit an all-time high in 2021, with illicit addresses receiving $14bn over the course of the year, up from $7.8bn in 2020.
More and more NFTs and cryptos have been targeted by hackers using malicious programs, with cybersecurity firms constantly trying to develop new tools to counter them.
Recently, another NFT collection, the Ozzy Osbourne NFT series, reportedly fell victim to a scam, with thousands of dollars lost by users.
Australian scammer exposed by sugar baby addiction
In some cases, however, there is no need for a big cybersecurity firm to root out bugs or scammers.
One Australian scammer, for example, revealed himself to the authorities because of his addiction to so-called sugar babies (young women who keep wealthy men company in exchange for financial and material support).
According to the Australian media, the scammer bought a luxury apartment in which to meet escorts and organise sex parties.
The young Australian crypto fraudster is thought to have spent most of his $123m Ponzi scheme on his sugar baby addiction. He was given a seven-and-a-half-year prison sentence.
