OpenSea reimbursed users affected by a vulnerability to more than $1.9 million

The OpenSea marketplace has reimbursed users who suffered losses due to a vulnerability in the NFT listing function on the platform, totaling 750 ETH (about $1.95 million at the time of writing). Bloomberg reports, citing the company.

On December 31, 2021, the founder of the freshdrops pointed to a bug, enabling purchases of expensive tokens at undervalued prices.

OpenSea operates an expedited listing of assets — after a set period, the tokens are removed from sale. However, before this mechanism was introduced, delisting NFTs was performed manually and required additional gas fees, which in some cases could be quite high.

To avoid the fee, users found a workaround — by transferring the token to an external wallet and back to the original, it stops appearing in the OpenSea interface. But in such cases, the delisting is not recorded on the blockchain, so the NFT remains available for purchase through the API, which is used by marketplaces such as Rarible.

This method allowed purchases at old prices well below their current value. To address the issue, OpenSea launched the view-and-cancel listings feature, reduced the default listing duration from six months to one month, and notified users of the need to delist.

The latter measure drew criticism in the community. A collector going by the handle Dingaling stressed that OpenSea’s instructions ‘facilitate carrying out the exploit.’ According to him, the first step is to transfer assets to an external wallet.

2/ This is the email that Opensea sent out a few hours ago to users who still had «inactive listings» on their accounts. Basically they are asking you to cancel old listings that you have on your NFTs that are still fulfillable, because they are unable to cancel them for you. pic.twitter.com/Fgd854Dezj

— dingaling (@dingalingts) January 27, 2022

OpenSea also said that it is actively engaging with the affected and reimbursing their costs. In an interview with Bloomberg, collector Robert Garcia said that his NFT Mutant Ape Yacht Club was mistakenly sold for 4.7 ETH (about $12,200). The company reimbursed him 13.8 ETH (about $35,880).

Back in September 2021, the OpenSea error led to the destruction of 42 NFTs valued at $100,000.

Follow ForkLog news on VK.