OpenSea Drama Continues After Phishing Attacks With $1 Million Lawsuit

The horizon in front of the largest NFT marketplace to date, OpenSea, might start to bring dark clouds after what may be considered as the NFT marketplace got stung for at least $1.7 million worth of NFTs.

Despite the team putting an all-hands-on-deck investigation, discovering the primary cause of the attack, as well as reporting that the incident was indeed a phishing attack “originating outside of OpenSea’s website,” there is still no clear estimation about the size of the attack.

Nevertheless, OpenSea users are starting to take legal action against the NFT marketplace, Thimothy McKimmy – who goes by the nickname McKimmy on OpenSea, leading the pack with a lawsuit for $1 million after his Bored Ape Yacht Club NFT got stolen in the attack.

The attackers managed to exploit a security vulnerability to illegally access McKimmy’s wallet and sell his Bored Ape Yacht Club NFT to a third party for 0.01 WETH, or around $26 as of press time. However, given the popularity of NFTs like the Bored Ape Yacht Club collection, the estimated price floor for the collection is around 91.9 ETH per NFT or just a little short of $240,000.

The NFT pricing is somewhat different than the market price evaluation of fungible tokens like Ethereum or Bitcoin. NFTs, being sold from one person to another, are valued by a minimum price that sellers are willing to accept for their tokens at a given point in time, called a price floor.

Setting a price floor that high for an NFT is actually not that high at all. According to data from OpenSea, several NFTs of the Bored Ape Yacht Club NFT collection are listed with really steep price tags. For instance, Ape #8229 is currently selling for 15,000 ETH, or around $39 million.

Source: OpenSea 

The phishing attack really got OpenSea working around the clock to determine the possible causes of the exploit. It turns out the attacker exploited a critical moment in the life cycle of OpenSea. Since it is an NFT marketplace, Opensea operates via smart contracts to fulfill transactions. The attacker used the moment when OpenSea was updating its smart contract to push malicious code instead of the official emails the marketplace sends to its users, asking them to authorize the new smart contract deployment.

The malicious code gave the attacker full access to the victims’ wallets, which resulted in numerous NFTs leaving the wallets for a fraction of their floor price.

Furthermore, according to McKimmy and his lawsuit against the NFT marketplace, OpenSea “(failed) to implement policies and procedures to prevent, identify, detect, respond to, mitigate, contain, and/or correct security violations,” and is demanding payment for “the valuation of the Bored Ape, and/or monetary damages over $1,000,000.”

The OpenSea drama seems to be going at least since January 24, 2022, when some OpenSea users reported that their NFTs sold at rock-bottom prices by hackers who leveraged a flaw on the OpenSea listing process. Hackers then purchased those NFTs at almost 98% discounts and subsequently sold them for much higher.

Blockchain analytics firm Elliptic, which discovered a flaw in how the platform handles asset listings on its platform, audited the first attack, adding that at least five attackers were involved in the exploit.

Back in January, OpenSea tried to work their way with the attack victims by reimbursing them. For Instance, one victim of the attack, Robert Garcia, said his Mutant Ape NFT was sold for 4.7 Ether (about $11,300) on Sunday. The victim further explained that immediately after finding out about the vulnerability, he emailed OpenSea and received a refund offer. Experts claim that OpenSea gave out over $1.8 million after the initial exploit.

The second attack, on February 20, 2022, saw another batch of NFTs getting stolen, including Bored Ape Yacht Club (BAYC), Azuki, Farm Land by Pixels, and more. Still, OpenSea did not post any news about the latest exploit.