OpenSea’s front-end bug leaves investors vulnerable to an exploit
On January 24 users started reporting that their Bored Ape Yacht Club (BAYC) NFTs have been sold without their explicit consent for extremely low prices.
At the time of the exploit the floor price of the BAYC collection was around $200,000. Victims of the exploit saw their Apes being sold for as low as $1,700, which is less than 1% of the market price.
A further investigation revealed that a front-end bug of the largest NFT marketplace OpenSea allowed an exploiter to snatch NFTs at previous listing prices.
Since the NFT market is not as liquid as the cryptocurrency market, NFT sellers have to submit their offers and often wait for a long time until somebody will buy their listings. Some BAYC holders didn’t pay high Ethereum transaction fees to properly de-list their NFTs, but rather chose to transfer items to secondary wallets and then back to the main wallet. Such a trick de-lists NFTs from the OpenSea website, but it doesn’t cancel previous listings on the blockchain level, leaving them vulnerable to the exploit.
The Board Ape Yacht Club is the second largest NFT collection by trading volume founded in 2021 by pseudonyms members of the Yuga Labs team. The BAYC consists of 10,000 unique ape avatars, which range in price from hundreds of thousands to millions of dollars.
Earlier in January, NFT marketplace Rarible launched an order management tool that allows users to cancel old sell orders. OpenSea has implemented a similar tool after the attack. Another approach to save assets from such exploits is to completely revoke permissions to marketplaces. It’s important to remember, though, that all the items will be re-listed once the permission is granted again.
Investors are dissatisfied with SundaeSwap and CardStarter
The major drama blew up in the Cardano community between two DeFi-focused projects that took their internal conflict to the social media, blaming each other for the investor dissatisfaction.
The conflict started after the Cardano-based SundaeSwap (SUNDAE) decentralized exchange didn’t give any significant reward to liquidity providers that came from the CardStarter community despite promises of “great benefits”.
In summer 2021, SundaeSwap developers landed a partnership agreement with Cardano project accelerator CardStarter, which committed to providing liquidity to SundaeSwap instead of developing its own DEX. Both projects addressed the recent situation in separate statements and SundaeSwap team mentioned that they cannot reveal all the details about their previous “merger” agreement in June without CardStarter’s consent, due to a mutual non-disclosure provision.
The situation was worsened by the fact that many users reported failed transactions and other issues when trying to trade on the long-awaited recently launched SundaeSwap DEX. Following the launch of Cardano’s first decentralized app (dApp) the network experienced severe congestion due to an influx of excited users.
In other news
Singapore-based cryptocurrency exchange Crypto.com has revoked all customer 2FA tokens and paused all withdrawals for 13 to 14 hours following a hacker attack. The company has firstly denied any loss of funds, but then admitted that hundreds of accounts have been compromised, resulting in a loss of more than $30 million. A large portion of stolen funds have been laundered through Ethereum-based mixing protocol Tornado Cash.
Co-founder of the OMNIA protocol Alex Lupascu pointed out that popular web3 wallet MetaMask Mobile has a critical privacy vulnerability that allows an attacker to get user’s IP address by airdropping an NFT that contains a malicious URL. According to MetaMask founder Daniel Finlay, the vulnerability has been known for “a long time” and a potential fix could be to only load IPFS links by default.
Ethereum’s major scaling solution Polygon has rolled out a fee-burning upgrade EIP-1559 for better “fee visibility” and to introduce deflationary effect on its native token MATIC. The upgrade was supported by major exchanges, including Binance.
The mayor of Brazilian city Rio de Janeiro announced intentions to allocate 1% of the city’s treasury reserves towards buying bitcoin. The mayor is also looking to provide a 10% discount on taxes when paid in cryptocurrencies.
In a series of tweets, a former member of parliament of Tonga pushed for faster Bitcoin adoption, outlining an ETA for Bitcoin becoming legal tender in the Pacific island nation.