An exploit on NFT marketplace OpenSea enabled one buyer to purchase Bored Ape Yacht Club (BAYC) for tens of thousands of dollars less than the collection’s floor price.
BAYC #9991 owner Tballer was devastated when his Ape was sold for just 0.77 (about $1,700).
The buyer, who goes by the name “jpegdegenlove,” was also able to snap up BAYC #8924 for 6.66 ETH (around $14,700) and #8274 for just under 23 ETH (around $50,800). The floor price for a BAYC NFT is currently 86 ETH, which is just under $200,000 at the time of writing.
Jpegdegenlove also bought two Mutant Ape NFTs, a Cool Cats NFT, and a CyberKongz NFT, and appears to have gained about 332 ETH ($733,500) using the exploit.
The BAYC NFT collection is OpenSea’s No. 2 collection of all time, having traded over 338,000 in secondary sales.
Etherscan has already labeled the account in question “OpenSea Opportunistic Buyer.”
To make matters stranger, two of the Bored Apes are now sitting in an OpenSea account that reportedly belongs to someone named Juan Fdez.
Fdez has yet to respond to a request for comment.
A number of BAYC holders congregated in a Twitter Space shortly after the incident occurred to speculate on what happened. After some discussion on how OpenSea listings work, it appears that some holders, like TBaller, did not pay the necessary Ethereum gas fees to de-list their item fully, instead choosing to use OpenSea’s “transfer” feature.
If NFT holders transfer their NFTs from a main wallet to a secondary one and back to the main wallet, they can virtually (on the front end, at least) de-list their item from OpenSea. But this transfer method does not actually appear to cancel previous listings on the blockchain’s backend, leaving NFTs vulnerable to the exploit.
Using orders.rarible.com provides a solution to concerned NFT holders, as it allows users to view all previous and current listings of their NFTs on Rarible or OpenSea. They will then have to pay gas fees to effectively cancel those old listings to eliminate the ability for them to be purchased off the blockchain.
OpenSea has yet to acknowledge the issue at press time. Decrypt has reached out for comment.
This post first appeared on: Decrypt