For several weeks, an OpenSea loophole has allowed collectors to buy valuable Bored Ape Yacht Club non-fungible tokens (NFTs) at prices significantly below their market valuation. Thus, Bored Ape Yacht #9991 was bought for 0.77 ETH and then quickly resold for 84.2 ETH. The first mention of such a transaction taking place was registered on Twitter on January 1, 2022, and since then, many more were bought at a fraction of their market value.

How the OpenSea NFT Incidents Happened

The underlying issue that has allowed Bored Ape Yacht Club NFTs to be sold so cheaply appeared to be a consequence of how OpenSea’s protocol works, rather than a vulnerability in the OpenSea interface. The users that listed their NFTs on OpenSea did so at the same original price-up to this point, the owners were in control and everything functioned as it should.

Later, these users wanted to cancel their listings—probably because they realized that their NFTs were worth much more than the price they had set in their original listings. But to close the listing, users needed to make a transaction that cost more in gas on the Ethereum blockchain than would a transfer of the non-fungible token to a different wallet.

Given the high Ethereum transaction costs, some of these users decided to circumvent these costs by sending their NFTs to different wallets. That nullified the ability of their NFTs to be sold for that price but did not cancel the listing itself on the Ethereum blockchain. Therefore, when they later transferred their NFTs back to the original wallet where the listings were initially registered, it made them accessible again through the OpenSea API at the original price, though it did not appear in the OpenSea UI. So, more savvy users snatched them up at low prices as quickly as they could.

Eventually, OpenSea reimbursed around $1.8 million to the users whose NFTs had been sold on the cheap.

Unlucky Sevens

Another incident occurred with the mint of The Sevens NFT collection in September 2021. The collection consisted of 7,000 NFTs and everyone who wanted to get one had to mint it through the collection’s smart contract, which had set a transaction limiter. The rules of the mint were these: You could mint only one non-fungible token per transaction in the first seven minutes of the launch and seven NFTs per transaction after that.

The mint itself was cheap—0.07 ETH—but the transaction fees were in the hundreds of thousands of dollars, according to user reports. However, user 1ethSHOP found a way around that. They created their own smart contract and managed to circumvent The Sevens’ smart contract’s timestamp limiter. This allowed them to mint 1,000 The Sevens NFTs at a very low cost compared to what others trying to mint through the site paid.

Eventually, 1ethSHOP returned 500 of the 1,000 minted NFTs to The Sevens project team, allowing the NFTs to be redistributed among the community.

What did we Learn From These Incidents?

When it comes to the security of NFT smart contracts themselves, they proved to be much better protected against attacks simply because NFT smart contracts usually involve much simpler code than smart contracts for fungible tokens. Also, the NFT ecosystem is not as complex as in DeFi, which also minimizes the hacking threat.

What we saw with the OpenSea incident showed how user error—the negligence of the users who tried to circumvent the fees without properly canceling the listings—played a major role. And in the incident with The Sevens NFTs, nothing was ever actually stolen. Call it a matter of semantics, but one person simply found a way to mint their own NFTs at a lower cost using the official The Sevens smart contract.

To prevent the sale of highly-rated NFTs for a fraction of their market prices, marketplaces should educate their users and raise awareness of blockchain mechanics. If projects that offer the ability to mint NFTs want to avoid incidents like the one that happened with The Sevens NFTs, using tried-and-tested codebases from other projects and auditing their own smart contracts are the two best options.

The fact that a project’s smart contract was properly audited will allow users to feel confident about using it. It will positively reflect on the project’s reputation and ultimately minimize the chances of an unintended result occurring through the project’s contract.