TL;DR Breakdown:
- Former Bored Ape NFT owner seeks $1 million in damages from OpenSea
- He claims his BAYC #3475 wasn’t stolen and sold from his wallet amid a bug.
- In January, users complained about their NFT selling for less than the floor price.
On 18th February, a man from Texas filed a lawsuit against the largest NFT marketplace OpenSea, seeking about $1 million in damages from the company or the return of his Bored Ape NFT.
Texas man demands $1M from OpenSea
In the lawsuit filed with the Texas federal court, the now-former Bored Ape Yacht Club (BAYC) owner, Timothy McKimmy, claimed his Bored Ape NFT (#3475, which ranked among BAYC top 20% rarity) was stolen from his wallet and sold for a fraction of its actual worth – about 0.01 ETH or $25.22 in today’s price. The hacker immediately flipped the NFT for a cool 99 ETH or over $249k.
McKimmy said he didn’t list the NFT for sale. However, he believes a vulnerability in the OpenSea marketplace – which the team knew about – enabled the hacker to steal and list the Bored Ape #3475 from his wallet.
“Instead of shutting down its platform to address and rectify these security issues, Defendant continued to operate. Defendant risked the security of its users’ NFTs and digital vaults to continue collecting 2.5% of every transaction uninterrupted,” McKimmy claimed in the lawsuit.
Given the rarity score and previous sale records of similar Bored Ape NFTs, McKimmy is demanding up to $1 million in damages or the return of the NFT. Prior to this, McKimmy reportedly said he tried to amicably engage with OpenSea to resolve the issue but yielded no progress.
How NFTs in OpenSea were exploited
In January, OpenSea users reported a vulnerability “listing bug” that allowed people unwittingly sell their NFTs, including Bored Ape Yacht Club, below the floor price, which is the least amount of an NFT in the collection. Amid the bug, Bored Ape #9991 was sold for 0.77 ETH, which was far below the floor price at 86 ETH, according to Coingecko. This is suspected to be the same case for McKimmy.
As reported, the issue was found in the “transfer” feature introduced in OpenSea, which basically allowed users to delist their items from the marketplace without constituting any gas fee. Technically, this feature only delisted the items on the front end. They could still be accessed because they weren’t delisted from the protocol’s backend. Although OpenSea has now introduced a fix for this vulnerability, users still need to pay gas fees to actually cancel their listings from the backend.
A costly bug
Following the number of complaints and people affected by the listing bug, the marketplace was obliged to compensate the victims, who were mostly BAYC owners. As Cryptopolitan recently reported, OpenSea reimbursed the victims based on the floor price, which cost the company a total of $1.8 million.
It’s no news that OpenSea users are at the center of the attack for hackers, given the popularity and volume traded on the platform. Recently, a hacker made away with about $1.7 million worth of NFTs through phishing attacks targeted at OpenSea users. Last year, the company was able to freeze up to $2.2 million worth of stolen NFTs.
